My objective is to allow a given Active Directory group members to use OpenSSH SFTP in chroot, and deny access to SSH for them and all others that aren't members of that group, while still allowing local (non-AD) system accounts.
I've already configured sshd_config to use Kerberos to get Active Directory info and that part is already working.
The problem is: while it works the intended way for the group I wish to give access (allow sftp, deny ssh), all other AD accounts can both open a SSH shell and non-chroot SFTP, which is of course, undesired.
Summing up, I needed to:
- grant chroot'ed SFTP access to an Active Directory group; deny SSH for them.
- deny both SFTP and SSH for non-members of that group.
- keep access rights to local system accounts.
I'm using Fedora 32 with OpenSSH_8.3p1, and my config follows (non-commented out lines).
/etc/ssh/sshd_config:
Include /etc/ssh/sshd_config.d/*.conf
HostbasedAuthentication no
KerberosAuthentication yes
Subsystem sftp internal-sftp
Match Group sftp_users
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
/etc/ssh/sshd_config.d/50-redhat.conf:
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
Thanks in advance!
Best Answer
You need to use ad_access_filter in SSSD to filter which AD user gets access to the server. The syntax is something like:
ad_access_filter=(&(memberof=cn=sftp_user,ou=groups,dc=example,dc=com)(other membership criteria))