RE: AllowGroups and ldap

From: Lars Weste (lweste_at_gmx.de)
Date: 02/02/05

  • Next message: Narendra Raavi: "OpenSSH and Enhanced Security"
    Date: Wed, 2 Feb 2005 08:54:21 +0100 (MET)
    To: "Tay, Gary" <Gary_Tay@platts.com>
    
    

    Hi,
           
    i can successfully log in from one suse 9.1 to another suse 9.1, both
    connected to the same ldap server.
          
    this is the remote suse 9.1 sshd_config:
    ================================================
    Port 22
    Protocol 2
    PermitRootLogin no
    StrictModes yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups admin
    ===============================================
    this is the remote suse 9.1 ldap.conf file:
    ===============================================
    host 10.10.10.10
    base dc=intern
    ldap_version 3
    pam_password md5
    nss_map_attribute uniqueMember member
    ssl start_tls
    nss_map_attribute uniqueMember member
    pam_filter objectclass=posixAccount
    nss_base_passwd dc=intern
    nss_base_shadow dc=intern
    nss_base_group dc=intern
    =============================================
    this is the remote suse 9.1 nsswitch.conf file:
    =============================================
    passwd: compat
    group: compat
    hosts: files dns
    networks: files dns
    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files
    publickey: files
    bootparams: files
    automount: files nis
    aliases: files
    passwd_compat: ldap
    group_compat: ldap
    =========================================================
    and the following file is the suse9.1 /etc/pam.d/sshd,
    but i think this file shouldn't be used because i configured
    UsePAM=no in sshd_config
    =========================================================
    #%PAM-1.0
    auth required pam_unix2.so # set_secrpc
    auth required pam_nologin.so
    auth required pam_env.so
    account required pam_unix2.so
    account required pam_nologin.so
    password required pam_pwcheck.so
    password required pam_unix2.so use_first_pass use_authtok
    session required pam_unix2.so none # trace or debug
    session required pam_limits.so
    # Enable the following line to get resmgr support for
    # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
    #session optional pam_resmgr.so fake_ttyname
    ===============================================================
    with this configuration i can log in without any problem, the sshd checks
    that i am a member of the admin group which is only available through
    ldap.
    =========================================================
    =========================================================
       
    the following is the sles9 sshd_config file: despite the
    AllowGroups directive the same like at the suse 9.1
    =========================================================
    Port 22
    Protocol 2
    PermitRootLogin no
    StrictModes yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups backup admin wheel
    ====================================================
    the following file is the sles9 ldap.conf, the same despite the host
    directive:
    ====================================================
    host localhost
    base dc=intern
    ldap_version 3
    pam_password md5
    nss_map_attribute uniqueMember member
    ssl start_tls
    nss_map_attribute uniqueMember member
    pam_filter objectclass=posixAccount
    nss_base_passwd dc=intern
    nss_base_shadow dc=intern
    nss_base_group dc=intern
    ===================================================
    The sles9 nsswitch.conf file is exactly the same like the suse9.1
    nsswitch.conf like above.
     
    ===================================================
    id lars
    uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)
     
    with this configuration that the admin grous is a supplementary group
    i can log in to the suse9.1 but not to the sles9.
     
    i changed the groups which i belong to the following:
    id lars
    uid=1010(lars) gid=1011(admin) groups=1011(admin),1006(weird)
     
    this enables me to log in to both systems. but having the admin group as a
    primary group is not an option.
     
     
    so if anybody has a hint to maybe what my problem is, please tell me
    because i'm a bit clueless here. or maybe there are other configuration
    files involved which i didn't considered?
     
    kind regards
    lars
     
     
    ===================================================
     
          
           
    > IIRC, OpenSSH uses PAM and then PAM uses PAM_LDAP/NSS_LDAP to retrieve
      
    > LDAP id/pw info. So you have to configure PAM "UsePAM yes",
    > /etc/pam.conf (load pam_ldap.so.1) and /etc/ldap.conf (nss_ldap's
    > config) files.
    >
    > It will be interesting to see even after the above have been done, that
       
    > the "AllowGroups" directive works for LDAP based, instead of just
    > /etc/passwd files based login ids. "man sshd_config" does not say the
     
    > group info could be read from LDAP.
    >
    > Let us know what you could come out with.
    >
    > Gary
    >
    > -----Original Message-----
    > From: Lars Weste [mailto:lweste@gmx.de]
    > Sent: Monday, January 31, 2005 4:52 PM
    > To: secureshell@securityfocus.com
    > Subject: AllowGroups and ldap
    >
    >
    > hi list,
    >
    > i encountered a problem while trying to use the AllowGroup feature of
     
    >
    > openssh to restrict the access to only some groups.
    >
    > i'm using SuSEs ssh version OpenSSH_3.8p1, OpenSSL 0.9.7d 17 Mar 2004 at
        
    >
    > the server and client side. The account information of the user i want
      
    > to
    > log in is stored within openldap.
    >
    > $ id
    > uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin).
    >
    > i only want to allow members of the admin group to log in. the group
       
    > information about the admin and the weird groups are also stored in the
       
    >
    > ldap database. if i configure AllowGroups weird, which is the primary
      
    > group of the user i can log in. if i replace weird with admin the login
        
    > will be rejected.
    >
    > =============
    > User lars not allowed because none of user's groups are listed in
    > AllowGroups
    > input_userauth_request: illegal user lars
    > =============
    >
    > i added the user to the local group wheel, added the wheel group to the
        
    > AllowGroups statement and restarted the sshd. with a local supplementary
        
    >
    > group i could successfully log in. so is there a way to use the
    > supplementary groups of the user provided by the ldap daemon?
    >
    >
     

    -- 
    GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
    Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot
    

  • Next message: Narendra Raavi: "OpenSSH and Enhanced Security"

    Relevant Pages

    • RE: AllowGroups and ldap
      ... OpenSSH uses PAM and then PAM uses PAM_LDAP/NSS_LDAP to retrieve ... LDAP id/pw info. So you have to configure PAM "UsePAM yes", ... the "AllowGroups" directive works for LDAP based, ... i only want to allow members of the admin group to log in. ...
      (SSH)
    • RE: AllowGroups and ldap
      ... You did not mention which conf file is for LDAP Server, ... Again I am not sure if AllowGroups in sshd_config could recognize LDAP ... The nsswitch.conf for the LDAP server and client should not be the same. ... AllowGroups admin ...
      (SSH)
    • Re: cifs filesystem mounting problem
      ... admin users = root @"Domain Admins" ... ldap passwd sync = Yes ... load printers = Yes ... ldap group suffix = ou=Group ...
      (Fedora)
    • Re: Looking for a Web-Based Tool to Manage Users
      ... > I'm looking for a web-based tool that DOES NOT require IE to allow my Unix ... However it's fully aware of LDAP sub schema which helps somewhat to ... Currently I'm using it in a project to set up a proof-of-concept admin UI. ... It depends on python-ldap which in turn depends on OpenLDAP client libs ...
      (microsoft.public.windows.server.active_directory)
    • openldap progressively hanging more and more on Solaris 10
      ... We use LDAP to authenticate SSH users are our other servers. ... I have to admit I'm a little new to LDAP, but not to server admin. ...
      (comp.unix.solaris)