Restrict ssh login from LDAP to users who have a /home directory
Solution 1
Because the management of access would require a lot of work arounds on the local host we decided just to create a group in Active Directory and restrict logins to users in that group.
This can be done by editing the /etc/security/pam_winbind.conf file with the following field with the SIDs of the groups or users we want to restrict access to (comma separated).
require_membership_of=
We then will filter our chroot restrictions to that group (or put the users to a local group) to restrict their sftp access to their own home directories. This will also allow us to add the oddjobs mkhomedir back to pam and then to allow access to the server we just have to add the user to that group. They can then log in and their home dir will be created automatically.
Thanks everyone for the help/ideas but it looks like AD groups will be the easiest to manage after all.
Solution 2
Solution 1:
You can PAM module pam_homecheck
All it does is check if there is a home directory of the user and refuses a session if none is found.
the issue is , it's only available in openSUSE , but you can place pam_homecheck.so
from downloaded packages and install dependency with help of ldd pam_homecheck.so
.
Solution 2:
you can add below content in /etc/bashrc
but Only applicable for shell/putty login
[[ $HOME == / ]] && { echo "Error: Home Dir not define.."; exit 1; }
Solution 3:
Deny if home dir not set (tested and working below steps in Ubuntu)
To Deny WinScp
aptitude install libpam-script
Open "/etc/pam.d/common-auth
" with your faorite editor and add below entries
auth optional pam_script.so # add at the last
Open "/usr/share/libpam-script/pam_script_auth
" with your favorite editor and add below entries
#!/bin/bash
Pam_home=$(awk -v u=$PAM_USER -F: '($1 == u ){print $6}' /etc/passwd)
if [[ $Pam_home == / ]]; then
echo "Error: Home Dir not define.."
kill -9 $PPID # Force fully kill winscp pid
else
/usr/lib/openssh/sftp-server
fi
To deny from Shell/putty login
It will refer and run same script from default location i.e "/usr/share/libpam-script/pam_script_auth
"
Or you can verify in logs "tail -f /var/log/auth.log
"
Related videos on Youtube
user869525
Updated on September 18, 2022Comments
-
user869525 over 1 year
and thanks ahead of time for any help!
I have compiled a program (which I did not write) and it works just fine on Mac's but when I try to execute the program on Windows I get the following error message shortly after execution of the program began:
forrt1: severe (170): Program Exception - stack overflow
I am not an ifort or Fortran user, but trying to compile a program for work.
I did an "ifort --version" and I am using Intel Visual Fortran Compiler XE with verion 12.0.0.104. I have been working on this problem for a few days now and I have tried messing with the flags in the Makefile some, but with no luck.
If I can provide any further information, I'll try to do my best. Thanks again!
-
David Heffernan almost 13 yearswe can't answer your question without seeing the code. I'd guess the default stack size of the windows compiler is less than on the other platform. Probably have very large stack variables. have very large stack variables.
-
user about 11 yearsDo you need to restrict only
ssh
(terminal) logins, or do you also need to restrict sftp/scp access? It would be relatively easy to restrict ssh logins to accounts with a valid home directory, but I can't think of an easy way to restrict sftp/scp access in a similar manner. -
Ketan about 11 years@JoelDavis Adding oddjob mkhomedir creates the home dir and puts the user in the directory.
-
Ketan about 11 years@MichaelKjörling We actually are disallowing ssh entirely and only allow sftp
-
Bratchley about 11 years@Rothgar does it Chroot them or does SSH check for the home dir before oddjob is able to come into the picture? You'll probably also have to make sure all required files get copied in from the skeleton directory.
-
Xianlin almost 10 yearsif you want to disable user to ssh login, you can put a restricted name list in /etc/ssh/sshd_config, can you?
-
-
bdforbes almost 13 yearsAdditionally, use /heap-arrays:0 to make sure EVERYTHING goes on the heap.
-
jordanm about 11 yearsI think that partially defeats the purpose of using LDAP for authentication.
-
Ketan about 11 yearsI like the idea but some of the accounts are managed by groups of people and not just individuals. I don't think this would make sense to have them manage passing around keys to all the people/computers that need to log in via sftp to upload files.