2.2.6. Limit SSH Connections by LDAP Group

Edit /etc/pam.d/sshd with a text editor as a user with root access.

nano /etc/pam.d/sshd

Find the “account include common-account” line and disable it by placing a # before it


Commenting this line will prevent “any user” from logging in.

# Standard Un*x authorization.
#@include common-account

Under the last account line, add the following for each domain group you want to allow access to:

account sufficient pam_succeed_if.so user ingroup [shortdomain\group]

Finally add the following under the last domain group line. This allows the original admin group to log in.

(It’s good to allow at least a few local users to log in, as if you don’t allow any local user accounts to log in, a network outage to your LDAP server may result in the inability to log in, so it’s basically an anti-lockout).

account sufficient pam_succeed_if.so user ingroup [adminuser]

Test your changes by opening a new SSH login session to the server (try to avoid getting locked out!)