Ideas on how to prevent locked active directory users from login with ssh key

Latest response

Hello,

We integrated one of our test machines into Active Directory. We followed the instructions from Chapter 2.5 in the RHEL7 Windows Integration Guide.

The integration itself worked smooth and the desired users from Active Directory could login to the machine. If an account is disabled in Active Directory the user is not able to login using username and password anymore. However if a user created a ssh-key-pair to login he/she is still able to login to the machine using the ssh-key even if the Active Directory account is disabled. The user has access to his/her HOME-Directory and all group and world readable files. The command id shows the uid, gid and groups. I would expect this because the account is still existent and only disabled. Find an example output of a disabled Active Directory User:

[oglattermann@rhel-t3 ~]$ id
uid=1234567890(oglattermann) gid=100(users) groups=100(users),54321(ad_users_group1),137377(rhel-t3.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Currently my only idea to prevent this user from loggin in is to run a tasks with ansible which empty the authorized_key file of the user oglattermann. But I'm not sure if there is a better way.

If you have any further ideas on how to prevent this user from logging in, please share them. If you think there have to be something wrong and the user should not be able to login whether using password or ssh-key, please share your thoughts on what might be wrong here.

My /etc/sssd/sssd.conf looks like:

[sssd]
domains = examle.com
config_file_version = 2
services = nss, pam

[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = AD_Users_Group, rhel-t3.example.com

Kind regards,
Joerg

JK

Responses