LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   PAM allow one usergroup and root from specified ip (http://www.linuxquestions.org/questions/linux-software-2/pam-allow-one-usergroup-and-root-from-specified-ip-4175419730/)

hakkis 08-01-2012 06:50 AM

PAM allow one usergroup and root from specified ip
 
Hi

I am trying to configure PAM to allow ssh login only for root from specified ip and Active Directory group.

Separately I get both of restrictions working:

Only root from specified ip:
-I added to /etc/ssh/sshd_config line
AllowUsers root@192.168.11.1
-Problem: sshd_config doesn't support BOTH AllowUsers and AllowGroups at the same time, and AllowGroups doesn't support ip-restrictions for groups (e.g. mygroup@192.1681.1)

Only my AD group:
-I added to /etc/pam.d/sshd file line
auth required pam_winbind.so try_firs_pass require_membership_of=mydomaingroup


The problem is that how to get both of those rule working at the same time?

I googled a lot and I ended up that I have to do it using only PAM. I have tested few configurations but no luck so far.

Hopefully, you get what I'm trying to do, and thanks for advices!

acid_kewpie 08-01-2012 06:56 AM

ONLY from root? That's awful! Step one is usually to prevent root ever logging in. Are you really sure you have a need for this? Yuck.

Don't configure PAM, use the /etc/security/access.conf that the pam_access module will already be looking up.

hakkis 08-01-2012 07:44 AM

Quote:

Originally Posted by acid_kewpie (Post 4743043)
ONLY from root? That's awful! Step one is usually to prevent root ever logging in. Are you really sure you have a need for this? Yuck.

Don't configure PAM, use the /etc/security/access.conf that the pam_access module will already be looking up.

Normally users included in domain group are using that server, but out backup system login by root using ssh so thats why root login have to be allowed. I know not nice, but I think that it is not so unsecure, because only one ip is allowed. And our environment are offline - no connection to internet at all...

But is it possible to put domain groups to access.conf file? I didn't find the place for it.

And do I have to put something like this to /etc/pam.d/sshd file:
auth required pam_access.so

acid_kewpie 08-01-2012 07:57 AM

there's no distinction about where the groups come from. A group is a group. if it's listed in "getent group" then it'll work.

pam_access is usually in the default stack, so inherited by all modules already.

hakkis 08-01-2012 08:04 AM

Quote:

Originally Posted by acid_kewpie (Post 4743100)
there's no distinction about where the groups come from. A group is a group. if it's listed in "getent group" then it'll work.

pam_access is usually in the default stack, so inherited by all modules already.

I get root working using access.conf, but I didn't get my ad group working.

No I have these lines in access.conf file:
+ : root : 192.168.1.10 #Allow root ssh login from 192.168.1.10
+ : @my-ad-group : ALL #Allow user in my-ad-group to login
- : ALL : ALL #Denied access from all the others

With this configuration only root can log in.

I also added line:
auth required pam_access.so
to /etc/pam.d/sshd file.

acid_kewpie 08-01-2012 08:59 AM

if you pick a user account and do "id <username>" does it list the group?

hakkis 08-01-2012 09:04 AM

Quote:

Originally Posted by acid_kewpie (Post 4743150)
if you pick a user account and do "id <username>" does it list the group?

If I run
id mydomainaccount

I get
id: mydomainaccount: No such user

Before I added line
auth required pam_access.so I was able to log in using my domain account.

acid_kewpie 08-01-2012 09:13 AM

how had you configured the domain accounts then? with LDAP to AD, or Domain membership to AD you should get the details in getent, so sounds like you've done something directly to pam to allow them to log in with maybe fudged posix details?

hakkis 08-01-2012 09:23 AM

Quote:

Originally Posted by acid_kewpie (Post 4743159)
how had you configured the domain accounts then? with LDAP to AD, or Domain membership to AD you should get the details in getent, so sounds like you've done something directly to pam to allow them to log in with maybe fudged posix details?

Server have joined to domain and when I log in using putty I put mydomain\mydomainaccount and thats it. To be honest I didn't understand what did you ask me... Domain accounts just works... I haven't done any other configurations.

Domain is Windows Active Directory and Linux os is SLES11

acid_kewpie 08-01-2012 09:26 AM

So these users don't show up on "getent passwd" at all? What are the UID's and GID's of these users? Do they get their own private home directory?

acid_kewpie 08-01-2012 09:32 AM

on your smb.conf, do you have "winbind enum users" and "winbind enum groups" set to yes? posting yoru smb.conf might be useful.

hakkis 08-01-2012 09:35 AM

Quote:

Originally Posted by acid_kewpie (Post 4743174)
So these users don't show up on "getent passwd" at all? What are the UID's and GID's of these users? Do they get their own private home directory?

Yes they doesn't show up on getent passwd. I don't know what UID's and GID's they get, because I didn't find the way to check that. When I joined to domain I put tick to box "create home directory".

acid_kewpie 08-01-2012 09:38 AM

Actually, looking aroudn more, samba is likely to be OK in itself, but i wonder if you have winbind entries in /etc/nsswitch.conf against groups and passwd entries..?

Can you see the groups from "wbinfo -g"? That's one step before the "getent passwd" command above.

hakkis 08-02-2012 01:50 AM

Quote:

Originally Posted by acid_kewpie (Post 4743186)
Actually, looking aroudn more, samba is likely to be OK in itself, but i wonder if you have winbind entries in /etc/nsswitch.conf against groups and passwd entries..?

Can you see the groups from "wbinfo -g"? That's one step before the "getent passwd" command above.

Yes I can see every group in AD.

acid_kewpie 08-02-2012 03:14 AM

so check the nsswitch.conf file then


All times are GMT -5. The time now is 08:09 AM.