how to limit certain domain users to access RHEL server via SSH?

Latest response

i know we can grant specific domain user to SSH into a RHEL server that's on a company's domain. but how do i grant SSH access for a group of domain users? especially when there's no domain groups begin with.

Responses

Hi Kevin,

I'm seeing in your post above "domain groups" are you or are you not authenticating your Red Hat systems to a domain controller (windows)?

What version of RHEL (Red Hat Enterprise Linux) are you using by the way?

Something we do often is this:

1) This assumes you are authenticating your Linux systems to Active Directory domain controllers

in /etc/ssh/sshd_config put in something for the specific group. Example, let's say you had a group in active directory named "allowssh2devserver" Edit your /etc/ssh/sshd_config file with something like:

AllowGroups allowssh2devserver

Prerequisites: You will need to create the group in active directory (domain controller) and add the users you wish to be in this group. You might have to restart sssd for the changes to be "visible".

If you are not authenticating to Active Directory Domain Controllers, you might have to then put the group in the /etc/group file instead.

Let us know how this goes

Regards

RJ

is there a specific place in the sshd_config file to place that line? i added it to the very end of the config file, and it did not work, it blocked all ssh access even for root user.

our server is running RHEL7, and it has joined to our company domain. we applied realm deny --all initially to block ssh access to this server for all domain users. then we add each user individually using "realm permit user@domain". but now we're wondering about instead of adding users one by one, can we just add the entire AD group? i've tried to edit the sshd_config file by adding the following statement "AllowGroups ADGroup" at the end of the file, then restarting sshd service, but that resulted in blocking all users' ssd access including root.

I personally have used the method I previously described in my previous post. I did this specifically because it was tremendously easier to manage groups than to go to each server and to manually edit things. I looked up the example I had in the previous post. I'm not the first or last person to do this. It still works to this day.

Regards

RJ

Kevin,

Examine this solution id https://access.redhat.com/solutions/20981. The specific location of that directive is not strictly important.

As a test, run this command (let's say the name of the group is "authorizedssh2server".

[root@yourserver ~] # getent group authorizedssh2server

You ought to see the group you specified in the output. If you don't that's the issue.

As a test, you could temporarily put the group in /etc/group (pick a unique gid number or use "groupadd" command) and make sure the group name matches the name you specified in /etc/ssh/sshd_config

There is also AllowUsers, and also keep in mind that spaces in names is a "bad thing", also see this example, and examine the issues these people spoke of.

Regards

RJ