Using Active Directory groups to control access to Linux services

Recently I published an article on how to Integrate Unix into Active Directory while maintaining UNIX style security using Samba and OpenLDAP outlining the configuration setting up OpenLDAP to do ID mapping between Unix and Active Directory as well as how to configure the client to authenticate to Active Directory and obtaining user and group UID and GID from OpenLDAP.

Now lets discuss how to take advantage of using Active Directory to control access to client and server services.

1. PAM (Plug able Authentication module)

By default when bound to Active Directory any Active Directory user can log into the workstation/Server console or Graphical Desktop environment. Depending on the role and content stored on the workstation/server System Administrators might want to restrict access to only a controlled group leveraging Active Directory for controlled and simplified management.

System Administrators might want to leverage Active Directory to grant access only to some services such as SHH and FTP to users or groups to provide simplified management and controlled access. PAM makes this happen.

PAM provides authentication to application interfaces such as SSH, FTP, Graphical desktop environments (WDM), as well as the UNIX console. All modern UNIX and Linux operating systems support PAM. To control access to certain services these modules will have to be modified.

This document will go over a few services to provide as an example on how to modify PAM modules to properly secure access to services. These settings can be configured on either a workstation or a server.

1.2 Restrict access to GDM, Console, and SSH to a domain group

1.2.2 Active Directory group

Create security groups for each service you want to control access. How you want to define your groups is up to you. You can have parent groups and then nested groups in parent groups. This is ideal if you want to have a security group per data center/site for local site administrators and then have your Enterprise Unix Admin group a member of the data center group to provide global support; create a security group per host and have nested groups to grant access to different support groups; or have a security group per host and then grant security groups for different FTP sites hosted on the host to allow FTP user access. These are just a few examples and the options are up to you. You can state more than one group if you do not want to have nested groups in groups. You are not restricted.

In this document we will create groups pasted on host access. When creating a group ensure the group does not have any spaces. Example JIMMNIX01-console where jimmnix01 is the host name of the client.

1.2.3 Restrict Console

1. To restrict access to the console modify /etc/pam.d/login with the following changes:

   1. Comment out the following lines using a (#) before each line:

#auth sufficient pam_unix.so use_first_pass

#account sufficient pam_winbind.so

#account required pam_stack.so service=system-auth

2. Add account sufficient pam_succeed_if.so user ingroup DomainGroup (where DomainGroup is the group you created in Active Directory)

Example: account sufficient pam_succeed_if.so user ingroup wheel

3. To grant another group add another line with account sufficient pam_succeed_if.so user ingroup DomainGroup2 (where DomainGroup2 is the second group you created in Active Directory)

4. Add account sufficient pam_succeed_If.so user ingroup wheel

Example: account sufficient pam_succeed_if.so user ingroup jimmnix01-console

1.2.4 Restrict SSH

1. To restrict access to ssh modify /etc/pam.d/sshd and replace all contents with the contents below changing DomainGroup with the security group created in Active Directory.

auth required pam_stack.so service=system-auth

auth required pam_nologin.so

account sufficient pam_succeed_if.so user ingroup DomainGroup

account sufficient pam_succeed_if.so user ingroup wheel

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

session required pam_loginuid.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

1.2.5 Restrict WDM (Windows Desktop Manager)

1. To restrict access to the graphical logon manager modify /etc/pam.d/gdm and comment out the following:

#auth include system-auth

#account include system-auth

#session include system-auth

2. Add the following lines:

auth required pam_stack.so service=system-auth

account sufficient pam_succeed_if.so user ingroup DomainGroup account sufficient pam_succeed_if.so user ingroup wheel

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

3. Change DomainGroup with the group you created in Active Directory)

Example: account sufficient pam_succeed_if.so user ingroup jimmnix01-console

4. To grant another group add another line with account sufficient pam_succeed_if.so user ingroup DomainGroup2 (where DomainGroup2 is the second group you created in Active Directory)

1.2.5 Restrict FTP and other services

In other services such as FTP changing auth include system-auth and session include system-auth to required pam_stack.so service=system-auth and modifying account include system-auth to sufficient pam_succeed_if.so user ingroup DomainGroup (where DomainGroup is a group you created in Active Directory) will restrict access to only the security group created.

Example:

auth required pam_stack.so service=system-auth

account sufficient pam_succeed_if.so user ingroup FTPUsers account sufficient pam_succeed_if.so user ingroup wheel

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth