我有一个 MIT-Kerberos / OpenLDAP 基础架构。我想限制用户的 ssh 访问,以便只有特定组的成员才允许 ssh 到我的服务器。当我只有没有 krb5 的 OpenLDAP 时,我使用 pam_access 来限制用户:
+ : usersinternal : ALL
- : ALL EXCEPT root : ALL
这正是我想要的;并且对于 PAM-Logins 仍然有效。
我的问题是所有用户都可以使用 SSO 登录:
me@workstation ~ % ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
# user cannot login
me@workstation ~ % kinit test
Password for [email protected]:
me@workstation ~ % ssh [email protected]
test@intern:~$ ## login successful, i am on the server
Connection to intern.example.com closed.
这是我的 sshd_config 的 GSSAPI 部分:
root@intern ~ # grep -i gssapi /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
我认为这是因为当用户成功通过 krb5 身份验证时,不会使用 PAM-Part;那么有什么好方法是限制谁可以登录呢?最好通过群组或其他方式。
答案1
我认为您正在寻找文件AllowGroups中的选项sshd_config:
AllowGroups
This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group
or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is
allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.