sshd.conf

Orangutanklaus · 08-16-2017, 01:47 AM

Hello!

I've joined a Debian 8 server to a Windows domain. Nearly everything works as expected - even ssh login with domain authentication.

Nearly because I want to limit ssh access to one local user and only one specific domain user.

So I thought a AllowUsers entry in the sshd.conf file will do the job - fail...

I always get the messages:

PHP Code:



sshd[5400]: User myuser@mydomain.lan from myhost.mydomain.lan not allowed because not listed in AllowUsers 
sshd[5400]: input_userauth_request: invalid user mydomain\\\\myuser [preauth] 
sshd[5400]: debug1: PAM: initializing for "mydomain\\myuser"

My current entry is:

PHP Code:



UsersAllow mylocaluser "myuser@mydomain.lan"

I've tried nearly any syntax (including sshd restart) I've found on the web but without success. Theres are also no other allow or deny entries in the conf file.

Any suggestions?

Turbocapitalist · 08-16-2017, 01:59 AM

It won't work that way. You'll probably have to go through PAM for that instead, at least if the original Kerberos is anything to go by. I've not had to touch PAM configuration in years, though, so that is just a pointer.

Orangutanklaus · 08-16-2017, 03:35 AM

K, I did some more research based on your suggestion.

I've enabled the following line in /etc/pam.d/sshd

PHP Code:



account  required     pam_access.so

and also added the domain user in /etc/security/access.conf

PHP Code:



+ : myuser@mydomain.lan : ALL
+ : mylocaluser : ALL
- : ALL : ALL

Slightly different error message (here PAM) but same results regardless what syntax I use for the domain user:

PHP Code:



fatal: Access denied for user myuser@mydomain.lan by PAM account configuration [preauth]

...and of course removed the AllowUsers line from sshd.conf