PAM allow one usergroup and root from specified ip
 

Hi

I am trying to configure PAM to allow ssh login only for root from specified ip and Active Directory group.

Separately I get both of restrictions working:

Only root from specified ip:
-I added to /etc/ssh/sshd_config line
AllowUsers root@192.168.11.1
-Problem: sshd_config doesn't support BOTH AllowUsers and AllowGroups at the same time, and AllowGroups doesn't support ip-restrictions for groups (e.g. mygroup@192.1681.1)

Only my AD group:
-I added to /etc/pam.d/sshd file line
auth required pam_winbind.so try_firs_pass require_membership_of=mydomaingroup


The problem is that how to get both of those rule working at the same time?

I googled a lot and I ended up that I have to do it using only PAM. I have tested few configurations but no luck so far.

Hopefully, you get what I'm trying to do, and thanks for advices!

ONLY from root? That's awful! Step one is usually to prevent root ever logging in. Are you really sure you have a need for this? Yuck.

Don't configure PAM, use the /etc/security/access.conf that the pam_access module will already be looking up.

Normally users included in domain group are using that server, but out backup system login by root using ssh so thats why root login have to be allowed. I know not nice, but I think that it is not so unsecure, because only one ip is allowed. And our environment are offline - no connection to internet at all...

But is it possible to put domain groups to access.conf file? I didn't find the place for it.

And do I have to put something like this to /etc/pam.d/sshd file:
auth required pam_access.so

there's no distinction about where the groups come from. A group is a group. if it's listed in "getent group" then it'll work.

pam_access is usually in the default stack, so inherited by all modules already.

I get root working using access.conf, but I didn't get my ad group working.

No I have these lines in access.conf file:
+ : root : 192.168.1.10 #Allow root ssh login from 192.168.1.10
+ : @my-ad-group : ALL #Allow user in my-ad-group to login
- : ALL : ALL #Denied access from all the others

With this configuration only root can log in.

I also added line:
auth required pam_access.so
to /etc/pam.d/sshd file.

if you pick a user account and do "id <username>" does it list the group?

If I run
id mydomainaccount

I get
id: mydomainaccount: No such user

Before I added line
auth required pam_access.so I was able to log in using my domain account.

how had you configured the domain accounts then? with LDAP to AD, or Domain membership to AD you should get the details in getent, so sounds like you've done something directly to pam to allow them to log in with maybe fudged posix details?

Server have joined to domain and when I log in using putty I put mydomain\mydomainaccount and thats it. To be honest I didn't understand what did you ask me... Domain accounts just works... I haven't done any other configurations.

Domain is Windows Active Directory and Linux os is SLES11

So these users don't show up on "getent passwd" at all? What are the UID's and GID's of these users? Do they get their own private home directory?

on your smb.conf, do you have "winbind enum users" and "winbind enum groups" set to yes? posting yoru smb.conf might be useful.

Yes they doesn't show up on getent passwd. I don't know what UID's and GID's they get, because I didn't find the way to check that. When I joined to domain I put tick to box "create home directory".

Actually, looking aroudn more, samba is likely to be OK in itself, but i wonder if you have winbind entries in /etc/nsswitch.conf against groups and passwd entries..?

Can you see the groups from "wbinfo -g"? That's one step before the "getent passwd" command above.

Yes I can see every group in AD.

so check the nsswitch.conf file then

In nsswitch.conf file are:

passwd: compat winbind
group: compat winbind

I think that could the problem be in the access.conf file syntax? I can't also allow in that file single domain account e.g.
+ : mydomainaccount : ALL
or
+ : mydomainaccount : mydomain.com
or
+ : mydomainaccount : .mydomain.com
or
+ : mydomainaccount : \MYDOMAIN
etc.

But line:
+ : MYDOMAIN\mydomainaccount : ALL

works.

This doesn't solve the problem, just testing and trying to understand this stuff.

so with winbind in nsswitch.conf, "wbinfo -g" shows your group but "getent passwd" doesn't?

Yes, wbinfo -g shows every domain group (MYDOMAIN\mygroup) and getent passwd shos only the local groups.

Hmm, ok. back a little to something I mentioned before with the enum options in smb.conf, maybe clearer in this guys reply - http://www.linuxquestions.org/questi...-login-885090/

I didn't want to configure samba because I think that not all of my linux servers have it and also all of my linux servers have joined to domain same way.

So I solved this problem with pam.

Now I have following lines in /etc/pam.d/sshd:
auth sufficient pam_winbind.so try_first_pass require_membership_of=mydomaingroup
auth required pam_access.so
auth sufficient common-auth

I also put to file /etc/security/access.conf following lines:
+ : root : 192.168.1.10
- : ALL : ALL

Now we first check are the user loggin in member of mydomaingroup, if it is it rest of the pam lines will not be checked.
If the user logging in are not member of mydomaingroup, pam_access.so module will check are the user listed in access.conf file, if it is common-auth will ask its password.

Thanks acid kewpie for advices.

well a solution is a solution. I'm a big fan of generic solutions rather than overly targeted ones, and you may want to look into the lack of AD groups being generically available in future (how are you managing root access for these users? sudo would want access to that group data too), but cool, as long as it works.