Allow domain group ssh access
Centos 7 joined to 2012 R2 AD domain
Joined to AD domain with realm join and now I can ssh in as any domain user (ssh server -l [email protected])
I can also login to the local console via [email protected] as well.
I want to only allow certain domain groups to ssh in so I added this to the bottom of /etc/ssh/sshd_config:
(serveradmins is an AD security group)
AllowGroups serveradmins
But that doesn't seem to work. Users in the serveradmins group cannot login and I see these messages in /var/log/messages:
I also tried
AllowGroups LAB\serveradmins
I think ssh or something is messing with the password because preauthentication failure errors are usually incorrect password problems (according to microsoft)
I should say I can still login locally as [email protected] without issues.
Edit: OK so I have achieved what I wanted to accomplish with pam_access by enable the module for sshd and then writing this to access.conf:
+ : (LAB\serveradmins) : ALL
- : ALL : ALL
Seems like pam_access is the way to go as it is more uniform, but I'd still like to know where sshd_config is falling down.
For me it worked:
AllowGroups domain?admins
After a long search for a solution to this, I finally found it.
If you used "realm join" to join the box into an AD domain, then continue to use the realm command to restrict the group access.
First, remove all group access:
realm deny -a
Then, allow only the groups that should have access:
realm permit -g groupname@domainname
Note, if your group name has a space in it, then you'll need to quote it out:
realm permit -g "group name"@domainname
Hope this helps someone!