AllowGroups and ldap

From: Lars Weste (lweste_at_gmx.de)
Date: 01/31/05

  • Next message: Victor Engle: "Re: PAM auth and account with openssh"
    Date: Mon, 31 Jan 2005 09:52:27 +0100 (MET)
    To: secureshell@securityfocus.com
    
    

    hi list,
        
    i encountered a problem while trying to use the AllowGroup feature of
    openssh to restrict the access to only some groups.
        
    i'm using SuSEs ssh version OpenSSH_3.8p1, OpenSSL 0.9.7d 17 Mar 2004 at
    the server and client side. The account information of the user i want to
    log in is stored within openldap.
       
    $ id
    uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin).
       
    i only want to allow members of the admin group to log in. the group
    information about the admin and the weird groups are also stored in the
    ldap database. if i configure AllowGroups weird, which is the primary
    group of the user i can log in. if i replace weird with admin the login
    will be rejected.
     
    =============
    User lars not allowed because none of user's groups are listed in
    AllowGroups
    input_userauth_request: illegal user lars
    =============
       
    i added the user to the local group wheel, added the wheel group to the
    AllowGroups statement and restarted the sshd. with a local supplementary
    group i could successfully log in. so is there a way to use the
    supplementary groups of the user provided by the ldap daemon?
       
     
    my sshd_config file without the comments:
    Port 22
    Protocol 2
    StrictModes yes
    PubkeyAuthentication yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    PrintLastLog yes
    TCPKeepAlive yes
    UsePrivilegeSeparation yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups backup admin
     
     
    kind regards
    lars

    -- 
    GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
    Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot
    

  • Next message: Victor Engle: "Re: PAM auth and account with openssh"