Limit ssh login access to specific Windows AD user groups
11-20-2018 02:11 PM
How do you limit access to Linux servers after express install,
My entire AD all 200 Users are able to login using AD credentials,
I only want a certain Windows AD groups to be able to login to the linux server I installed Centrify express on.
How can this be achieved ?
11-21-2018 06:00 AM
Welcome to the Centrify community.
To leverage AD groups to control access using Express.
- Over SSH, you can leverage the SSH user/group allow/deny parameters to control access
- To include also the console, use access.conf, you can leverage adclient's PAM and NSS framework integration
- You can use the pam_succeed_if shared object with the user_ingroup or user_notingroup PAM directive.
However, the best option is to use the access control capabilities provided by Centrify zones in the commercial version (Infrastructure Services). Because:
- Works out of the box, nonce configured, no need to touch the clients.
- Supports large numbers of objects and any type of AD trust.
- Multi-platform across UNIX, Linux, Mac and Windows.
- Native support for Multi-factor Authentication.
- Includes DirectAuthorize for cross-platform privilege elevation.
- Report Services for attestation.