Restricting SSH Logins to LDAP Group

The are multiple methods of doing this including using pam but I settled for the following:

In the /etc/ssh/sshd_config file I currently have:

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody

to check for ssh keys for the user logging in and I also have password authentication disallowed.

The content of the file /usr/libexec/openssh/ssh-ldap-wrapper was simply:

exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"

I amended it to:


USER_IN_ALLOWED_GROUP=`ldapsearch -x -b 'ou=Groups,dc=domain,dc=whatever,dc=co,dc=uk' '(cn=ssh-access)'  | egrep "^memberUid" | awk '{print $2}' | grep $1 | wc -l`
if [ $USER_IN_ALLOWED_GROUP -gt 0 ];then
logger -t sshd -p info "User $1 is a member of the ssh-access group"
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
logger -t sshd -p warn "User $1 is not a member of the ssh-access group and not allowed to log in, access denied"
exit 0

Let’s see how it goes….

2 Responses to “Restricting SSH Logins to LDAP Group”

  1. jonny

    Yes Tiago AllowGroups would work. Many ways to do the same thing but I liked this method as it might allow me to extend further if the need arises!


Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>