I have join my linux to windows domain succesfully, and now everyone in the domain is able to log in to the server by using ssh.
But we only want to allow certain users from a group to log in.
Example of current two groups:
#it_admin
Domain Admin
Ubuntu – SSH allow windows AD groups(with Special charactors)
ldapsshusers
Related Solutions
In your example you:
- Have the user
user1as a part of the groupuser2. - Have the user
user2as a part of the groupadmin.
The user user1 is distinct from the group user1.
Since (the user) user2 is a member of the admin group, and (the user) user1 is a member of (the group) user2 - is user1 effectively an admin?
- No, the user
user2is a member of theadmingroup. Not the groupuser1.
If the admin group is in the sudoers file, can (the user) user2 use it as well?
- Yes, just as the other users which are members of the group, jim and bob.
If the admin group is in the sudoers file, can user1 use it as well?
- No, since the admin group only consists of users. It has the user
user2in it. Even though the useruser1is part of the groupuser2. They are different things, but share the same name in this and many distros setup. Groups on one side, users on the other. If the names match, they are still entierly different things.
To sum it up: Separate the user from the group. The names may be the same, but they refer to different entities. In GNU/Linux you do not have groups inside groups, a group can only contain users (which is different from say Windows).
A) Short answer
Default groups; say for user123, on fresh install - (use command groups in a terminal):
user123 adm cdrom sudo dip plugdev lpadmin sambashare
Gives diff from 11.04 as
adminis replaced bysudodialoutis removeddipis added.
To get/view defaults. Would probably work for various others too; do:
sudo grep user-setup /var/log/installer/syslog
B) Restoring default groups
(Adding this to make it more complete)
1. Identifying the groups
I always set root password, but if you haven't use a live CD, live USB, other install etc. to get to the file.
If you have set root password (by i.e.):
sudo passwd root
and have lost sudo privileges do:
su - root
grep user-setup /var/log/installer/syslog
Gives you i.e.
... user-setup: pwconv: failed to change the mode of /etc/passwd- to 0600
... user-setup: Shadow passwords are now on.
... user-setup: Adding user `user123' ...
... user-setup: Adding new group `user123' (1000) ...
... user-setup: Adding new user `user123' (1000) with group `user123' ...
... user-setup: Creating home directory `/home/user123' ...
... user-setup: Copying files from `/etc/skel' ...
... user-setup: addgroup: The group `lpadmin' already exists as a system group. Exiting.
... user-setup: Adding group `sambashare' (GID 124) ...
... user-setup: Done.
... user-setup: Adding user `user123' to group `adm' ...
... user-setup: Adding user user123 to group adm
... user-setup: Done.
... user-setup: Adding user `user123' to group `cdrom' ...
... user-setup: Adding user user123 to group cdrom
... user-setup: Done.
... user-setup: Adding user `user123' to group `dip' ...
... user-setup: Adding user user123 to group dip
... user-setup: Done.
... user-setup: Adding user `user123' to group `lpadmin' ...
... user-setup: Adding user user123 to group lpadmin
... user-setup: Done.
... user-setup: Adding user `user123' to group `plugdev' ...
... user-setup: Adding user user123 to group plugdev
... user-setup: Done.
... user-setup: Adding user `user123' to group `sambashare' ...
... user-setup: Adding user user123 to group sambashare
... user-setup: Done.
... user-setup: adduser: The group `debian-tor' does not exist.
... user-setup: Adding user `user123' to group `sudo' ...
... user-setup: Adding user user123 to group sudo
... user-setup: Done.
... ubiquity: Removing user-setup ...
... ubiquity: Purging configuration files for user-setup ...
Or:
su - root
grep "user-setup: Adding user user123 to group" /var/log/installer/syslog | cut -d' ' -f11
Which yields:
adm
cdrom
dip
lpadmin
plugdev
sambashare
sudo
(No idea why dip suddenly has become a default group by install. Something to do with dialout being removed?)
2.a Updating groups - using "built-in" root access
So do, as root, to add groups to user, i.e. user user123:
usermod -a -G adm,cdrom,lpadmin,sudo,sambashare,dip,plugdev user123
Where (Somewhat outdated on 12.10):
adm Monitor system logs
cdrom Use CD-ROM drives
lpadmin Configure printers
sudo administer the system, ...
sambashare Share files with the local network
dip Connect to the Internet using a modem
plugdev Access external storage devices
Some extras you might need: (check what you have by root@YOURPC:~# id -nG user123)
dialout ttyS*/Serial/COM1,COM2 ...
vboxusers Virtual Box
user123 Your own group
If you want; double-check /etc/group , i.e. (here with some extras):
root@YOURPC:~# grep user123 /etc/group
adm:x:4:user123
audio:x:29:user123,timidity,pulse
video:x:44:user123
lp:x:7:user123
dialout:x:20:user123
cdrom:x:24:user123
sudo:x:27:user123
dip:x:30:user123
plugdev:x:46:user123
lpadmin:x:107:user123
user123:x:1000:
sambashare:x:124:user123
vboxusers:x:127:user123
autologin:x:1001:user123
As an alternative one can boot in to rescue mode and
mount -o remount,rw /
usermod -G adm,cdrom,lpadmin,sudo,sambashare,dip,plugdev user123
Log out and log in. Groups should be updated.
2.b Updating groups - using root access from Live-CD etc.
xxx here is where your file-system is mounted when running a live edition, i.e. /media/foo.
Manually edit the file /xxx/etc/group using vigr and add user as in previous listing.
Or; only add user to sudo; as in:
sudo:x:27:user123
Boot into your installation and update by executing the usermod command with sudo:
sudo usermod -a -G adm,cdrom,lpadmin,sudo,sambashare,dip,plugdev user123
Log out and log in. Groups should be updated.
Double Note: admin is no longer part of Ubuntu as of 11.10 in favour of sudo.
Best Answer
You can do this in two ways. One is to let the SSH configuration filter, and the other is to use
pam_access.Using SSH configuration
To
/etc/ssh/sshd_config, add aAllowGroupsline:From the manpage:
Domain Adminhere doesn't matchDomain Adminthe group name, but two separate groupsDomainandAdmin. You'll have to use something likeDomain*Adminand*it_admin, since neither(space) nor (#) are usually valid characters in Linux groups. To be on the safer side, use?instead of*:Domain?Adminand?it_admin, so that only one character is allowed by the wildcard. You can also add a pattern-based DenyGroups section. See thePATTERNSsection inman ssh_config.Using
pam_accessAdd lines to
/etc/security/access.confof the form:There are plenty of comments in that file which document how to use it.
man pam_accessis quite bare, so most information would come from those comments.pam_accessis more powerful in that it can control non-SSH logins as well (TTYs, GUI, etc.). This particular line, for example, should deny any user who does not haveDomainorAdminas a group from logging in at all (unless other lines allow them).Both approaches are pretty flexible, and I don't know the pros and cons, so no recommendations.