Restrict ssh login from LDAP to users who have a /home directory

security chroot pam ldap active-directory

5,415

Solution 1

Because the management of access would require a lot of work arounds on the local host we decided just to create a group in Active Directory and restrict logins to users in that group.

This can be done by editing the /etc/security/pam_winbind.conf file with the following field with the SIDs of the groups or users we want to restrict access to (comma separated).

require_membership_of=

We then will filter our chroot restrictions to that group (or put the users to a local group) to restrict their sftp access to their own home directories. This will also allow us to add the oddjobs mkhomedir back to pam and then to allow access to the server we just have to add the user to that group. They can then log in and their home dir will be created automatically.

Thanks everyone for the help/ideas but it looks like AD groups will be the easiest to manage after all.

Solution 2

Solution 1:

You can PAM module pam_homecheck

All it does is check if there is a home directory of the user and refuses a session if none is found.

the issue is , it's only available in openSUSE , but you can place pam_homecheck.so from downloaded packages and install dependency with help of ldd pam_homecheck.so.

Solution 2: you can add below content in /etc/bashrc but Only applicable for shell/putty login

[[ $HOME == / ]] && { echo "Error: Home Dir not define.."; exit 1; }

Solution 3:

Deny if home dir not set (tested and working below steps in Ubuntu)

To Deny WinScp

aptitude install libpam-script

Open "/etc/pam.d/common-auth" with your faorite editor and add below entries

auth optional pam_script.so  # add at the last

Open "/usr/share/libpam-script/pam_script_auth" with your favorite editor and add below entries

#!/bin/bash

Pam_home=$(awk -v u=$PAM_USER -F: '($1 == u ){print $6}' /etc/passwd)

if [[ $Pam_home == / ]]; then
        echo "Error: Home Dir not define.."
        kill -9 $PPID # Force fully kill winscp pid
else
        /usr/lib/openssh/sftp-server
fi

To deny from Shell/putty login

It will refer and run same script from default location i.e "/usr/share/libpam-script/pam_script_auth" Or you can verify in logs "tail -f /var/log/auth.log"

5,415

user869525

Updated on September 18, 2022

Comments

user869525 over 1 year

and thanks ahead of time for any help!

I have compiled a program (which I did not write) and it works just fine on Mac's but when I try to execute the program on Windows I get the following error message shortly after execution of the program began:

forrt1: severe (170): Program Exception - stack overflow

I am not an ifort or Fortran user, but trying to compile a program for work.

I did an "ifort --version" and I am using Intel Visual Fortran Compiler XE with verion 12.0.0.104. I have been working on this problem for a few days now and I have tried messing with the flags in the Makefile some, but with no luck.

If I can provide any further information, I'll try to do my best. Thanks again!
- David Heffernan almost 13 years
  
  we can't answer your question without seeing the code. I'd guess the default stack size of the windows compiler is less than on the other platform. Probably have very large stack variables. have very large stack variables.
- user about 11 years
  
  Do you need to restrict only ssh (terminal) logins, or do you also need to restrict sftp/scp access? It would be relatively easy to restrict ssh logins to accounts with a valid home directory, but I can't think of an easy way to restrict sftp/scp access in a similar manner.
- Ketan about 11 years
  
  @JoelDavis Adding oddjob mkhomedir creates the home dir and puts the user in the directory.
- Ketan about 11 years
  
  @MichaelKjörling We actually are disallowing ssh entirely and only allow sftp
- Bratchley about 11 years
  
  @Rothgar does it Chroot them or does SSH check for the home dir before oddjob is able to come into the picture? You'll probably also have to make sure all required files get copied in from the skeleton directory.
- Xianlin almost 10 years
  
  if you want to disable user to ssh login, you can put a restricted name list in /etc/ssh/sshd_config, can you?
bdforbes almost 13 years

Additionally, use /heap-arrays:0 to make sure EVERYTHING goes on the heap.
jordanm about 11 years

I think that partially defeats the purpose of using LDAP for authentication.
Ketan about 11 years

I like the idea but some of the accounts are managed by groups of people and not just individuals. I don't think this would make sense to have them manage passing around keys to all the people/computers that need to log in via sftp to upload files.