SSH allow windows AD groups(with Special charactors)
You can do this in two ways. One is to let the SSH configuration filter, and the other is to use pam_access
.
Using SSH configuration
To /etc/ssh/sshd_config
, add a AllowGroups
line:
AllowGroups Domain Admin
From the manpage:
AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns.
Domain Admin
here doesn't match Domain Admin
the group name, but two separate groups Domain
and Admin
. You'll have to use something like Domain*Admin
and *it_admin
, since neither (space) nor (
#
) are usually valid characters in Linux groups. To be on the safer side, use ?
instead of *
: Domain?Admin
and ?it_admin
, so that only one character is allowed by the wildcard. You can also add a pattern-based DenyGroups section. See the PATTERNS
section in man ssh_config
.
Using pam_access
Add lines to /etc/security/access.conf
of the form:
- : ALL EXCEPT (Domain) (Admin) : ALL
There are plenty of comments in that file which document how to use it. man pam_access
is quite bare, so most information would come from those comments. pam_access
is more powerful in that it can control non-SSH logins as well (TTYs, GUI, etc.). This particular line, for example, should deny any user who does not have Domain
or Admin
as a group from logging in at all (unless other lines allow them).
Both approaches are pretty flexible, and I don't know the pros and cons, so no recommendations.