AD service account SSH to Centos without 2FA
I have Windows 2012 AD server and all of the linux computers (CentOS) are joined to AD.
Recently, Quest defender 2FA has been activated, so all the domain users require soft token when SSH to any of CentOS systems. Now, I need to exclude some of the domain service accounts from 2FA when SSH to Linux computers. Meaning, when those accounts SSH, system will automatically exempt from 2FA.
Here is the current setting
[root@Linux]# less /etc/pam_radius_acl.conf
sshd:*
[root@Linux]# /etc/pam.d/sshd
auth required pam_sepermit.so
auth requisite pam_defender.so
auth requisite pam_defender.so
auth substack password-auth
auth include postlogin
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
-session optional pam_reauthorize.so prepare
[root@Linux]# less /etc/ssh/sshd_config
UsePAM yes
ChalllengeResponseAuthentication yes
Secondly, I want to restrict domain users to access respective Linux computers within their own dept so called centralize sudo access. For example, a user in admin dept, she can login only to Linux computers which are belong to admin dept. She will not able to login to HR dept PCs using her domain credentials.
Does the configuration on AD server or on the client computers (CentOS) to achieve the goal? My CentOS version is 7.4
Thanks much.
|