On Fri, Sep 15, 2006 at 05:35:06PM -0400, Matt Herzog wrote:> Hello again. > > I'm hoping there is some way I can restrict ssh login through the AD to my > Linux servers. I only have one group of users on the domain that needs ssh access. > > So far I see lots of ways to add or map or join Linux to Windows groups but > I would rather be able to say:"Permission denied" to all users but those in the AD group named "Developers." My boss found this page and solution almost immediately, demonstrating why he's making the big bucks. Or something. http://blogs.sun.com/tkblog/entry/integrating_linux_with_active_directory All I needed to do is add the line: account sufficient pam_succeed_if.so gid = 10003 to /etc/pam.d/sshd It is that simple. Of course I'd like to have more than one group be able to login so I'll dig into that presently. -- Announcing your plans is a good way to hear the gods' laughter.
At 02:19 PM 9/19/2006, Matt Herzog wrote:>It is that simple. Of course I'd like to have more than one group be able to >login so I'll dig into that presently.Create an AD group specifically for restricting ssh access -- "ssh access" or some such name. Then add the multiple AD groups to this group. Winbind should do the magic beyond this point. Adjust your pam_succeed_if.so line for this new gid once it propagates through winbind, and you should be all set... Cheers, -D Don Meyer <dlmeyer@uiuc.edu> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759