The are multiple methods of doing this including using pam but I settled for the following:
In the /etc/ssh/sshd_config file I currently have:
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper AuthorizedKeysCommandRunAs nobody
to check for ssh keys for the user logging in and I also have password authentication disallowed.
The content of the file /usr/libexec/openssh/ssh-ldap-wrapper was simply:
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
I amended it to:
#!/bin/sh
USER_IN_ALLOWED_GROUP=`ldapsearch -x -b 'ou=Groups,dc=domain,dc=whatever,dc=co,dc=uk' '(cn=ssh-access)' | egrep "^memberUid" | awk '{print $2}' | grep $1 | wc -l`
if [ $USER_IN_ALLOWED_GROUP -gt 0 ];then
logger -t sshd -p info "User $1 is a member of the ssh-access group"
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
else
logger -t sshd -p warn "User $1 is not a member of the ssh-access group and not allowed to log in, access denied"
echo
exit 0
fi
Let’s see how it goes….
Hello,
AllowGroups does not work for you? 🙂
Yes Tiago AllowGroups would work. Many ways to do the same thing but I liked this method as it might allow me to extend further if the need arises!