How do I limit access to a machine through SSH with LDAP / Active Directory security groups?

This document (7011689) is provided subject to the disclaimer at the end of this document.

Environment

A SUSE Enterprise 11 Server connected to an LDAP server or Active Directory domain.

Situation

The desire to limit which LDAP users can access a machine over SSH using their group membership.

Resolution

To limit which users can access the server based on group membership, you will need to make adjustments to the pam configuration for sshd.

While making these changes, please be sure to keep one ssh session open if you do not have physical access to your server as making a mistake in your pam configuration may lock you out of the machine.

Edit /etc/pam.d/sshd with your favorite text editor as a user with root access.
Find the "account include common-account" line and disable it by placing a # before it.

This prevents "any valid LDAP user" from logging in.

Under the last account line, add the following for each domain group you want to allow access to:

account sufficient pam_succeed_if.so user ingroup [domain\group]

Finally add the following under the last domain group line. This allows system users in the local wheel group to log in. (it's good to allow at least a few local users to log in. If you don't allow any local user accounts to log in, a network outage to your LDAP server may result in the inability to log in)

account sufficient pam_succeed_if.so user ingroup wheel

Test your changes by opening a new SSH login session to the server.

Cause

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.