Tuesday, July 20, 2010

sshd and LDAP for authentication control

LDAP can be used for group authentication on individual systems; however the directives in /etc/ssh/sshd_config:

AllowGroups
AllowUsers


Are mutually exclusive, with the AllowUsers directive taking precedence over AllowGroups; moreover, local and LDAP groups may be mixed in the AllowGroups directive.  Meaning if you're to use AllowGroups and wish to allow root logon, place local group "root" in the AllowGroups directive.

Using the AllowGroups directive is a far better way of giving discrete users access to a system as opposed to relying upon the placement individual entries in sshd_config if the system is an LDAP client.

Here's what an erroneous ssh attempt with a non-group member (in this case root) shows:
Jul 20 13:41:35 server sshd[2541]: User root from client not allowed because none of user's groups are listed in AllowGroups
Jul 20 13:41:35 server sshd[2541]: Failed none for invalid user root from client port 41466 ssh2
Jul 20 13:41:37 server sshd[2541]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client user=root
Jul 20 13:41:39 server sshd[2541]: Failed password for invalid user root from client port 41466 ssh2


Here's what an LDAPed user (ldapuser) looks like, falling through the PAM stack and gaining logon:
Jul 20 13:45:46 server sshd[2703]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=client  user=ldapuser
Jul 20 13:45:46 server sshd[2703]: Accepted password for ldapclient from client port 41529 ssh2
Post a Comment