[COLUG] SSH AllowGroups / AllowUsers

Scott Merrill skippy at skippy.net
Tue May 13 09:15:36 EDT 2008 

I'm preparing a new NFS server running RHEL 5.1 which is connected to
our Active Directory (LDAP / Kerberos) infrastructure.  This NFS
server will share the /home partition that our various
(to-be-installed) GNU/Linux lab machines will mount.

I followed these instructions to get the NFS server joined to our AD:
   http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

`getent passwd` on this machine shows all users, and I can log in
using my domain user account.

I _do not_ want all regular users to be able to ssh into the server.
I'd like to prevent root ssh logins.  I want IT staff to be able to
ssh into the NFS server and `su` into root.

I can prevent root logins easy enough in /etc/ssh/sshd_config.  I've
confirmed that this works.

Reading the sshd_config manpage, I _should_ be able to restrict access
to specific users or groups with the AllowGroups and AllowUsers
directives.

On one of our domain controllers, I created an ActiveDirectory group
called "SSHAccess".  I assigned UNIX attributes to this group, and I
assigned my AD account to be a member of this group.  From the NFS
server, `getent group sshaccess` correctly reports that my user
account is a member of that group:
# getent group sshaccess
SSHAccess:*:10009:merrill.11

I added the following line to /etc/ssh/sshd_config:
AllowGroups SSHAccess

When I try to ssh in using my merrill.11 account, the following gets
logged to /var/log/secure:
May 13 07:54:17 nfs1 sshd[26057]: User merrill.11 from <IP> not
allowed because none of user's groups are listed in AllowGroups
May 13 07:54:17 nfs1 sshd[26058]: input_userauth_request: invalid user
merrill.11

My client prompts me for a password, so I enter my correct domain
password.  The server logs:
May 13 08:59:51 nfs1 sshd[1578]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP>
user=merrill.11
May 13 08:59:51 nfs1 sshd[1578]: pam_krb5[1578]: authentication fails
for 'merrill.11' (merrill.11 at DOMAIN): Authentication failure
(Preauthentication failed)
May 13 08:59:54 nfs1 sshd[1578]: Failed password for invalid user
merrill.11 from <IP> port 48158 ssh2


So I commented out the AllowGroups line, and replaced it with this:
AllowUsers "merrill.11@*"

When I try to ssh in using my merrill.11 account, the following gets
logged to /var/log/secure:
May 13 08:54:22 nfs1 sshd[30680]: User merrill.11 from <IP> not
allowed because not listed in AllowUsers
May 13 08:54:22 nfs1 sshd[30681]: input_userauth_request: invalid user
merrill.11

Note that my ssh client still prompts me for a password.  When I type
it in, this is logged on the server:
May 13 08:54:37 nfs1 sshd[30680]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP>
user=merrill.11
May 13 08:54:37 nfs1 sshd[30680]: pam_krb5[30680]: authentication
fails for 'merrill.11' (merrill.11 at DOMAIN): Authentication failure
(Preauthentication failed)
May 13 08:54:39 nfs1 sshd[30680]: Failed password for invalid user
merrill.11 from <IP> port 35573 ssh2

The above occurs whether I use "merrill.11" or "merrill.11@*" in the
AllowUsers line.


For comparison sake, here's what a successful SSH login logs when I
have no restrictions defined in sshd_config:
May 13 08:55:36 nfs1 sshd[31560]: Failed publickey for merrill.11 from
<IP> port 35444 ssh2
May 13 08:55:36 nfs1 sshd[31560]: Failed publickey for merrill.11 from
<IP> port 35444 ssh2
May 13 08:55:38 nfs1 sshd[31560]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP>
user=merrill.11
May 13 08:55:38 nfs1 sshd[31560]: pam_krb5[31560]: authentication
succeeds for 'merrill.11' (merrill.11 at DOMAIN)
May 13 08:55:38 nfs1 sshd[31560]: Accepted password for merrill.11
from <IP> port 35444 ssh2
May 13 08:55:38 nfs1 sshd[31560]: pam_unix(sshd:session): session
opened for user merrill.11 by (uid=0)

I have "UsePAM yes" in sshd_config, and I've disabled GSSAPIAuthentication.

Any ideas on why my domain group and/or account don't work with
authentication restrictions?  Has anyone successfully used AllowGroups
or AllowUsers with ssh?  Has anyone successfully used them in an
Active Directory environment?

Thanks!
Scott

More information about the colug432 mailing list