How do I limit access to a machine through SSH with LDAP / Active Directory security groups?

This document (7011689) is provided subject to the disclaimer at the end of this document.

Environment

A SUSE Enterprise 11 Server connected to an LDAP server or Active Directory domain.

Situation

The desire to limit which LDAP users can access a machine over SSH using their group membership.

Resolution

To limit which users can access the server based on group membership, you will need to make adjustments to the pam configuration for sshd.

While making these changes, please be sure to keep one ssh session open if you do not have physical access to your server as making a mistake in your pam configuration may lock you out of the machine.

  • Edit /etc/pam.d/sshd with your favorite text editor as a user with root access.
  • Find the "account include common-account" line and disable it by placing a # before it.
    • This prevents "any valid LDAP user" from logging in.
  • Under the last account line, add the following for each domain group you want to allow access to:
    • account sufficient pam_succeed_if.so user ingroup [domain\group]
  • Finally add the following under the last domain group line. This allows system users in the local wheel group to log in. (it's good to allow at least a few local users to log in. If you don't allow any local user accounts to log in, a network outage to your LDAP server may result in the inability to log in)
    • account sufficient pam_succeed_if.so user ingroup wheel

Test your changes by opening a new SSH login session to the server.

Cause


Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011689
  • Creation Date: 23-Jan-2013
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center