LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 08-01-2012, 06:50 AM   #1
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Rep: Reputation: Disabled
Question PAM allow one usergroup and root from specified ip


Hi

I am trying to configure PAM to allow ssh login only for root from specified ip and Active Directory group.

Separately I get both of restrictions working:

Only root from specified ip:
-I added to /etc/ssh/sshd_config line
AllowUsers root@192.168.11.1
-Problem: sshd_config doesn't support BOTH AllowUsers and AllowGroups at the same time, and AllowGroups doesn't support ip-restrictions for groups (e.g. mygroup@192.1681.1)

Only my AD group:
-I added to /etc/pam.d/sshd file line
auth required pam_winbind.so try_firs_pass require_membership_of=mydomaingroup


The problem is that how to get both of those rule working at the same time?

I googled a lot and I ended up that I have to do it using only PAM. I have tested few configurations but no luck so far.

Hopefully, you get what I'm trying to do, and thanks for advices!

Last edited by hakkis; 08-01-2012 at 07:16 AM. Reason: typos
 
Old 08-01-2012, 06:56 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
ONLY from root? That's awful! Step one is usually to prevent root ever logging in. Are you really sure you have a need for this? Yuck.

Don't configure PAM, use the /etc/security/access.conf that the pam_access module will already be looking up.
 
Old 08-01-2012, 07:44 AM   #3
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
ONLY from root? That's awful! Step one is usually to prevent root ever logging in. Are you really sure you have a need for this? Yuck.

Don't configure PAM, use the /etc/security/access.conf that the pam_access module will already be looking up.
Normally users included in domain group are using that server, but out backup system login by root using ssh so thats why root login have to be allowed. I know not nice, but I think that it is not so unsecure, because only one ip is allowed. And our environment are offline - no connection to internet at all...

But is it possible to put domain groups to access.conf file? I didn't find the place for it.

And do I have to put something like this to /etc/pam.d/sshd file:
auth required pam_access.so
 
Old 08-01-2012, 07:57 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
there's no distinction about where the groups come from. A group is a group. if it's listed in "getent group" then it'll work.

pam_access is usually in the default stack, so inherited by all modules already.
 
Old 08-01-2012, 08:04 AM   #5
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
there's no distinction about where the groups come from. A group is a group. if it's listed in "getent group" then it'll work.

pam_access is usually in the default stack, so inherited by all modules already.
I get root working using access.conf, but I didn't get my ad group working.

No I have these lines in access.conf file:
+ : root : 192.168.1.10 #Allow root ssh login from 192.168.1.10
+ : @my-ad-group : ALL #Allow user in my-ad-group to login
- : ALL : ALL #Denied access from all the others

With this configuration only root can log in.

I also added line:
auth required pam_access.so
to /etc/pam.d/sshd file.

Last edited by hakkis; 08-01-2012 at 08:06 AM. Reason: also added line to sshd file
 
Old 08-01-2012, 08:59 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
if you pick a user account and do "id <username>" does it list the group?
 
Old 08-01-2012, 09:04 AM   #7
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
if you pick a user account and do "id <username>" does it list the group?
If I run
id mydomainaccount

I get
id: mydomainaccount: No such user

Before I added line
auth required pam_access.so I was able to log in using my domain account.
 
Old 08-01-2012, 09:13 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
how had you configured the domain accounts then? with LDAP to AD, or Domain membership to AD you should get the details in getent, so sounds like you've done something directly to pam to allow them to log in with maybe fudged posix details?
 
Old 08-01-2012, 09:23 AM   #9
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
how had you configured the domain accounts then? with LDAP to AD, or Domain membership to AD you should get the details in getent, so sounds like you've done something directly to pam to allow them to log in with maybe fudged posix details?
Server have joined to domain and when I log in using putty I put mydomain\mydomainaccount and thats it. To be honest I didn't understand what did you ask me... Domain accounts just works... I haven't done any other configurations.

Domain is Windows Active Directory and Linux os is SLES11

Last edited by hakkis; 08-01-2012 at 09:26 AM. Reason: added more information
 
Old 08-01-2012, 09:26 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
So these users don't show up on "getent passwd" at all? What are the UID's and GID's of these users? Do they get their own private home directory?
 
Old 08-01-2012, 09:32 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
on your smb.conf, do you have "winbind enum users" and "winbind enum groups" set to yes? posting yoru smb.conf might be useful.
 
Old 08-01-2012, 09:35 AM   #12
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
So these users don't show up on "getent passwd" at all? What are the UID's and GID's of these users? Do they get their own private home directory?
Yes they doesn't show up on getent passwd. I don't know what UID's and GID's they get, because I didn't find the way to check that. When I joined to domain I put tick to box "create home directory".
 
Old 08-01-2012, 09:38 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Actually, looking aroudn more, samba is likely to be OK in itself, but i wonder if you have winbind entries in /etc/nsswitch.conf against groups and passwd entries..?

Can you see the groups from "wbinfo -g"? That's one step before the "getent passwd" command above.
 
Old 08-02-2012, 01:50 AM   #14
hakkis
LQ Newbie
 
Registered: Aug 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Actually, looking aroudn more, samba is likely to be OK in itself, but i wonder if you have winbind entries in /etc/nsswitch.conf against groups and passwd entries..?

Can you see the groups from "wbinfo -g"? That's one step before the "getent passwd" command above.
Yes I can see every group in AD.
 
Old 08-02-2012, 03:14 AM   #15
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
so check the nsswitch.conf file then
 
  


Reply

Tags
access control list, pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root and passwd and pam (help) Linux_Kidd Linux - General 1 10-06-2011 10:52 AM
lfs usergroup presentation and logging aid imhanse Linux From Scratch 0 12-23-2009 05:42 PM
Cannot find adduser, usergroup command wisdom Fedora 11 08-15-2009 06:08 PM
Allow root access via PAM fw12 Fedora 3 02-17-2009 09:13 AM
strict usergroup ?? how to ?? help plz Mr.Bingles Linux - Networking 0 06-07-2004 02:03 AM


All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration