SSH authorization in Centos 7 for a group of domain users

SSH authorization in Centos 7

It is necessary to configure SSH authorization in CentOS 7 for a specific group of domain controller users, as well as give sudo rights for this user group

Initial data

domain.local - название контроллера домена
192.168.1.12 - его ip адрес
srv-dc-01.domain.local - название сервера контроллера домена
srv-routing-02 - название linux машины, которую вводим в домен
admin - администратор домена
linux_adm - группа пользователей домена, которым разрешено подключение по ssh

Linux server preparation

Change hostname

[[email protected] ~]# hostnamectl set-hostname srv-routing-02

Installing the utility for time synchronization

[[email protected] ~]# yum install chrony

Setting up chrony. We leave only our domain controller

[[email protected] ~]# nano /etc/chrony.conf
server srv-dc-01.domain.local iburst

We launch it and add it to startup

[[email protected] ~]# systemctl start chronyd 
[[email protected] ~]# systemctl enable chronyd

Checking

[[email protected] ~]# cat /var/log/messages | grep chronyd
Oct 15 16:47:06 [localhost] chronyd[29373]: chronyd exiting
Oct 15 16:48:01 [localhost] chronyd[774]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
Oct 15 16:48:01 [localhost] chronyd[774]: Frequency 0.000 +/- 1000000.000 ppm read from /var/lib/chrony/drift
Oct 15 16:48:02 [localhost] chronyd[774]: Source 192.168.1.2 offline
Oct 15 16:48:02 [localhost] chronyd[774]: Source 192.168.1.2 online

Add the addresses of the primary and backup domain controller to / etc / hosts

[[email protected] ~]# cat /etc/hosts
192.168.1.2  srv-dc-01.domain.local
192.168.1.3  srv-dc-02.domain.local

Edit the resolv.conf file, add the search directive

[[email protected] ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search domain.local
nameserver 192.168.1.3
nameserver 192.168.1.2

Connecting CentOS 7 to a Domain Controller

Install the necessary software and reboot

[[email protected] ~]# yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
[[email protected] ~]# reboot

We drive the server with CentOS 7 to the domain

[[email protected] ~]# realm discover DOMAIN.LOCAL
domain.local
  type: kerberos
  realm-name: DOMAIN.LOCAL
  domain-name: domain.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

[[email protected] ~]# realm join --user=admin domain.local
Password for admin:

We check our domain controller. Our linux server should appear in the list of computers

list of computers

So that when connecting to the server it is not necessary to enter the full domain name (%username%@domain.local), but only% username%, change the config of the sssd utility. Also change the name of the created user directory

[[email protected] ~]# nano /etc/sssd/sssd.conf
...
use_fully_qualified_names = False
fallback_homedir = /home/%u
...

Allow domain users to create home directories

[[email protected] ~]# authconfig --enablemkhomedir --enablesssdauth --updateall

Add the sssd utility to startup and restart it

[[email protected] ~]# systemctl enable sssd.service
[[email protected] ~]# systemctl restart sssd

To check in which groups the user

[[email protected] ~]# id %username%

To reread user data from a domain controller (clear the entire cache), for example, after adding a user to another group.

[[email protected] ~]# sss_cache -E

Or just for a specific user

[[email protected] ~]# sss_cache -u user1

We allow connection only for the linux_adm group on the domain controller (we created it in advance), and for the user user

[[email protected] ~]# nano /etc/sssd/sssd.conf
...
access_provider = simple
simple_allow_users = [email protected]
simple_allow_groups = [email protected]

Restart the sssd service

[[email protected] ~]# systemctl restart sssd

To check access restrictions for domain controller users, monitor the log file / var / log / secure

Access is closed:

Oct 16 09:47:51 [localhost] sshd[6687]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=user.domain.local user=Test1
Oct 16 09:47:51 [localhost] sshd[6687]: pam_sss(sshd:account): Access denied for user Test1: 6 (Permission denied)
Oct 16 09:47:51 [localhost] sshd[6687]: Failed password for Test1 from 192.168.1.99 port 37140 ssh2
Oct 16 09:47:51 [localhost] sshd[6687]: fatal: Access denied for user Test1 by PAM account configuration [preauth]

Access is allowed:

Oct 16 09:48:17 [localhost] sshd[6690]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=user.domain.local user=Test2
Oct 16 09:48:17 [localhost] sshd[6690]: Accepted password for Test2 from 192.168.1.99 port 37158 ssh2
Oct 16 09:48:17 [localhost] sshd[6690]: pam_unix(sshd:session): session opened for user Test2 by (uid=0)

Restricting sudo access by domain group

Create a file (the file name must be without dots)

[[email protected] ~]# nano /etc/sudoers.d/domain
%[email protected] ALL=(ALL) ALL

Where domain – the name of our domain, without “.local“

We expose the rights

[[email protected] ~]# chmod 0440 /etc/sudoers.d/domain