PAM allow one usergroup and root from specified ip
Hi
I am trying to configure PAM to allow ssh login only for root from specified ip and Active Directory group. Separately I get both of restrictions working: Only root from specified ip: -I added to /etc/ssh/sshd_config line AllowUsers root@192.168.11.1 -Problem: sshd_config doesn't support BOTH AllowUsers and AllowGroups at the same time, and AllowGroups doesn't support ip-restrictions for groups (e.g. mygroup@192.1681.1) Only my AD group: -I added to /etc/pam.d/sshd file line auth required pam_winbind.so try_firs_pass require_membership_of=mydomaingroup The problem is that how to get both of those rule working at the same time? I googled a lot and I ended up that I have to do it using only PAM. I have tested few configurations but no luck so far. Hopefully, you get what I'm trying to do, and thanks for advices! |
ONLY from root? That's awful! Step one is usually to prevent root ever logging in. Are you really sure you have a need for this? Yuck.
Don't configure PAM, use the /etc/security/access.conf that the pam_access module will already be looking up. |
Quote:
But is it possible to put domain groups to access.conf file? I didn't find the place for it. And do I have to put something like this to /etc/pam.d/sshd file: auth required pam_access.so |
there's no distinction about where the groups come from. A group is a group. if it's listed in "getent group" then it'll work.
pam_access is usually in the default stack, so inherited by all modules already. |
Quote:
No I have these lines in access.conf file: + : root : 192.168.1.10 #Allow root ssh login from 192.168.1.10 + : @my-ad-group : ALL #Allow user in my-ad-group to login - : ALL : ALL #Denied access from all the others With this configuration only root can log in. I also added line: auth required pam_access.so to /etc/pam.d/sshd file. |
if you pick a user account and do "id <username>" does it list the group?
|
Quote:
id mydomainaccount I get id: mydomainaccount: No such user Before I added line auth required pam_access.so I was able to log in using my domain account. |
how had you configured the domain accounts then? with LDAP to AD, or Domain membership to AD you should get the details in getent, so sounds like you've done something directly to pam to allow them to log in with maybe fudged posix details?
|
Quote:
Domain is Windows Active Directory and Linux os is SLES11 |
So these users don't show up on "getent passwd" at all? What are the UID's and GID's of these users? Do they get their own private home directory?
|
on your smb.conf, do you have "winbind enum users" and "winbind enum groups" set to yes? posting yoru smb.conf might be useful.
|
Quote:
|
Actually, looking aroudn more, samba is likely to be OK in itself, but i wonder if you have winbind entries in /etc/nsswitch.conf against groups and passwd entries..?
Can you see the groups from "wbinfo -g"? That's one step before the "getent passwd" command above. |
Quote:
|
so check the nsswitch.conf file then
|
In nsswitch.conf file are:
passwd: compat winbind group: compat winbind I think that could the problem be in the access.conf file syntax? I can't also allow in that file single domain account e.g. + : mydomainaccount : ALL or + : mydomainaccount : mydomain.com or + : mydomainaccount : .mydomain.com or + : mydomainaccount : \MYDOMAIN etc. |
But line:
+ : MYDOMAIN\mydomainaccount : ALL works. This doesn't solve the problem, just testing and trying to understand this stuff. |
so with winbind in nsswitch.conf, "wbinfo -g" shows your group but "getent passwd" doesn't?
|
Yes, wbinfo -g shows every domain group (MYDOMAIN\mygroup) and getent passwd shos only the local groups.
|
Hmm, ok. back a little to something I mentioned before with the enum options in smb.conf, maybe clearer in this guys reply - http://www.linuxquestions.org/questi...-login-885090/
|
I didn't want to configure samba because I think that not all of my linux servers have it and also all of my linux servers have joined to domain same way.
So I solved this problem with pam. Now I have following lines in /etc/pam.d/sshd: auth sufficient pam_winbind.so try_first_pass require_membership_of=mydomaingroup auth required pam_access.so auth sufficient common-auth I also put to file /etc/security/access.conf following lines: + : root : 192.168.1.10 - : ALL : ALL Now we first check are the user loggin in member of mydomaingroup, if it is it rest of the pam lines will not be checked. If the user logging in are not member of mydomaingroup, pam_access.so module will check are the user listed in access.conf file, if it is common-auth will ask its password. Thanks acid kewpie for advices. |
well a solution is a solution. I'm a big fan of generic solutions rather than overly targeted ones, and you may want to look into the lack of AD groups being generically available in future (how are you managing root access for these users? sudo would want access to that group data too), but cool, as long as it works.
|
All times are GMT -5. The time now is 03:00 AM. |