SSH authorization in Centos 7 for a group of domain users
SSH authorization in Centos 7
It is necessary to configure SSH authorization in CentOS 7 for a specific group of domain controller users, as well as give sudo rights for this user group
Initial data
domain.local - название контроллера домена
192.168.1.12 - его ip адрес
srv-dc-01.domain.local - название сервера контроллера домена
srv-routing-02 - название linux машины, которую вводим в домен
admin - администратор домена
linux_adm - группа пользователей домена, которым разрешено подключение по sshLinux server preparation
Change hostname
[[email protected] ~]# hostnamectl set-hostname srv-routing-02Installing the utility for time synchronization
[[email protected] ~]# yum install chronySetting up chrony. We leave only our domain controller
[[email protected] ~]# nano /etc/chrony.conf
server srv-dc-01.domain.local iburstWe launch it and add it to startup
[[email protected] ~]# systemctl start chronyd
[[email protected] ~]# systemctl enable chronydChecking
[[email protected] ~]# cat /var/log/messages | grep chronyd
Oct 15 16:47:06 [localhost] chronyd[29373]: chronyd exiting
Oct 15 16:48:01 [localhost] chronyd[774]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
Oct 15 16:48:01 [localhost] chronyd[774]: Frequency 0.000 +/- 1000000.000 ppm read from /var/lib/chrony/drift
Oct 15 16:48:02 [localhost] chronyd[774]: Source 192.168.1.2 offline
Oct 15 16:48:02 [localhost] chronyd[774]: Source 192.168.1.2 onlineAdd the addresses of the primary and backup domain controller to / etc / hosts
[[email protected] ~]# cat /etc/hosts
192.168.1.2 srv-dc-01.domain.local
192.168.1.3 srv-dc-02.domain.localEdit the resolv.conf file, add the search directive
[[email protected] ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search domain.local
nameserver 192.168.1.3
nameserver 192.168.1.2Connecting CentOS 7 to a Domain Controller
Install the necessary software and reboot
[[email protected] ~]# yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
[[email protected] ~]# rebootWe drive the server with CentOS 7 to the domain
[[email protected] ~]# realm discover DOMAIN.LOCAL
domain.local
type: kerberos
realm-name: DOMAIN.LOCAL
domain-name: domain.local
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools[[email protected] ~]# realm join --user=admin domain.local
Password for admin:We check our domain controller. Our linux server should appear in the list of computers
list of computers
So that when connecting to the server it is not necessary to enter the full domain name (%username%@domain.local), but only% username%, change the config of the sssd utility. Also change the name of the created user directory
[[email protected] ~]# nano /etc/sssd/sssd.conf
...
use_fully_qualified_names = False
fallback_homedir = /home/%u
...Allow domain users to create home directories
[[email protected] ~]# authconfig --enablemkhomedir --enablesssdauth --updateallAdd the sssd utility to startup and restart it
[[email protected] ~]# systemctl enable sssd.service
[[email protected] ~]# systemctl restart sssdTo check in which groups the user
[[email protected] ~]# id %username%To reread user data from a domain controller (clear the entire cache), for example, after adding a user to another group.
[[email protected] ~]# sss_cache -EOr just for a specific user
[[email protected] ~]# sss_cache -u user1We allow connection only for the linux_adm group on the domain controller (we created it in advance), and for the user user
[[email protected] ~]# nano /etc/sssd/sssd.conf
...
access_provider = simple
simple_allow_users = [email protected]
simple_allow_groups = [email protected]Restart the sssd service
[[email protected] ~]# systemctl restart sssdTo check access restrictions for domain controller users, monitor the log file / var / log / secure
Access is closed:
Oct 16 09:47:51 [localhost] sshd[6687]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=user.domain.local user=Test1
Oct 16 09:47:51 [localhost] sshd[6687]: pam_sss(sshd:account): Access denied for user Test1: 6 (Permission denied)
Oct 16 09:47:51 [localhost] sshd[6687]: Failed password for Test1 from 192.168.1.99 port 37140 ssh2
Oct 16 09:47:51 [localhost] sshd[6687]: fatal: Access denied for user Test1 by PAM account configuration [preauth]Access is allowed:
Oct 16 09:48:17 [localhost] sshd[6690]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=user.domain.local user=Test2
Oct 16 09:48:17 [localhost] sshd[6690]: Accepted password for Test2 from 192.168.1.99 port 37158 ssh2
Oct 16 09:48:17 [localhost] sshd[6690]: pam_unix(sshd:session): session opened for user Test2 by (uid=0)Restricting sudo access by domain group
Create a file (the file name must be without dots)
[[email protected] ~]# nano /etc/sudoers.d/domain
%[email protected] ALL=(ALL) ALLWhere domain – the name of our domain, without “.local“
We expose the rights
[[email protected] ~]# chmod 0440 /etc/sudoers.d/domain