hi list,
i encountered a problem while trying to use the AllowGroup feature of
openssh to restrict the access to only some groups.
i'm using SuSEs ssh version OpenSSH_3.8p1, OpenSSL 0.9.7d 17 Mar 2004 at
the server and client side. The account information of the user i want to
log in is stored within openldap.
$ id
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin).
i only want to allow members of the admin group to log in. the group
information about the admin and the weird groups are also stored in the
ldap database. if i configure AllowGroups weird, which is the primary
group of the user i can log in. if i replace weird with admin the login
will be rejected.
=============
User lars not allowed because none of user's groups are listed in
AllowGroups
input_userauth_request: illegal user lars
=============
i added the user to the local group wheel, added the wheel group to the
AllowGroups statement and restarted the sshd. with a local supplementary
group i could successfully log in. so is there a way to use the
supplementary groups of the user provided by the ldap daemon?
my sshd_config file without the comments:
Port 22
Protocol 2
StrictModes yes
PubkeyAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding yes
PrintLastLog yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
Subsystem sftp /usr/lib/ssh/sftp-server
AllowGroups backup admin
kind regards
lars
--
GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot
