Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: AllowGroups and ldap

from [Tay, Gary] Network Security [Permanent Link]
Subject: RE: AllowGroups and ldap
Date: Tue, 1 Feb 2005 17:47:37 +0800 
IIRC, OpenSSH uses PAM and then PAM uses PAM_LDAP/NSS_LDAP to retrieve
LDAP id/pw info. So you have to configure PAM "UsePAM yes",
/etc/pam.conf (load pam_ldap.so.1) and /etc/ldap.conf (nss_ldap's
config) files.

It will be interesting to see even after the above have been done, that
the "AllowGroups" directive works for LDAP based, instead of just
/etc/passwd files based login ids. "man sshd_config" does not say the
group info could be read from LDAP.

Let us know what you could come out with.

Gary

-----Original Message-----
From: Lars Weste [mailto:lweste@gmx.de] 
Sent: Monday, January 31, 2005 4:52 PM
To: secureshell@securityfocus.com
Subject: AllowGroups and ldap


hi list,    
    
i encountered a problem while trying to use the AllowGroup feature of

openssh to restrict the access to only some groups.    
    
i'm using SuSEs ssh version OpenSSH_3.8p1, OpenSSL 0.9.7d 17 Mar 2004 at

the server and client side. The account information of the user i want
to   
log in is stored within openldap.   
   
$ id   
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin).   
   
i only want to allow members of the admin group to log in. the group   
information about the admin and the weird groups are also stored in the

ldap database. if i configure AllowGroups weird, which is the primary 
group of the user i can log in. if i replace weird with admin the login 
will be rejected. 
 
============= 
User lars not allowed because none of user's groups are listed in 
AllowGroups 
input_userauth_request: illegal user lars 
============= 
   
i added the user to the local group wheel, added the wheel group to the 
AllowGroups statement and restarted the sshd. with a local supplementary

group i could successfully log in. so is there a way to use the 
supplementary groups of the user provided by the ldap daemon?  
   
 
my sshd_config file without the comments: 
Port 22   
Protocol 2   
StrictModes yes   
PubkeyAuthentication yes   
RhostsRSAAuthentication no   
HostbasedAuthentication no   
IgnoreRhosts yes   
PasswordAuthentication no   
ChallengeResponseAuthentication no   
UsePAM no   
X11Forwarding yes   
PrintLastLog yes   
TCPKeepAlive yes   
UsePrivilegeSeparation yes   
Subsystem       sftp    /usr/lib/ssh/sftp-server   
AllowGroups     backup admin   
 
 
kind regards 
lars 

-- 
GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  sftp virtual users question, Lukasz Chruszczyk
Next by Thread:  RE: AllowGroups and ldap, Lars Weste
Indexes:  [Date] [Thread] [Top] [All Lists]