How do I limit access to a machine through SSH with LDAP / Active Directory security groups?
This document (7011689) is provided subject to the disclaimer at the end of this document.
While making these changes, please be sure to keep one ssh session open if you do not have physical access to your server as making a mistake in your pam configuration may lock you out of the machine.
- Edit /etc/pam.d/sshd with your favorite text editor as a user with root access.
- Find the "account include common-account" line and disable it by placing a # before it.
- This prevents "any valid LDAP user" from logging in.
- Under the last account line, add the following for each domain group you want to allow access to:
- account sufficient pam_succeed_if.so user ingroup [domain\group]
- Finally add the following under the last domain group line. This allows system users in the local wheel group to log in. (it's good to allow at least a few local users to log in. If you don't allow any local user accounts to log in, a network outage to your LDAP server may result in the inability to log in)
- account sufficient pam_succeed_if.so user ingroup wheel
Test your changes by opening a new SSH login session to the server.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7011689
- Creation Date: 23-Jan-2013
- Modified Date:03-Mar-2020
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com