2.2.6. Limit SSH Connections by LDAP Group¶
Edit /etc/pam.d/sshd with a text editor as a user with root access.
Find the “account include common-account” line and disable it by placing a # before it
Commenting this line will prevent “any user” from logging in.
# Standard Un*x authorization. #@include common-account
Under the last account line, add the following for each domain group you want to allow access to:
account sufficient pam_succeed_if.so user ingroup [shortdomain\group]
Finally add the following under the last domain group line. This allows the original admin group to log in.
(It’s good to allow at least a few local users to log in, as if you don’t allow any local user accounts to log in, a network outage to your LDAP server may result in the inability to log in, so it’s basically an anti-lockout).
account sufficient pam_succeed_if.so user ingroup [adminuser]
Test your changes by opening a new SSH login session to the server (try to avoid getting locked out!)