Não é possível restringir o acesso de usuários de domínio ao servidor SFTP do Ubuntu

Navegue suas respostas
0

Eu tenho um servidor SFTP Ubuntu que se juntou a um domínio do AD usando winbind e sssd. Eu gostaria de restringir o acesso do usuário (Idealmente, permitir apenas um grupo de domínio para acessar, mas por enquanto para apenas um usuário).

descomentei em /etc/security/access.conf 

account  required       pam_access.so

e adicionado /etc/security/access.conf 

+ : LOCAL : ALL
- : baduser : ALL
- : ALL : ALL

O problema é que ainda posso logar no servidor com qualquer usuário. O problema permanece após a exclusão do cache sssd e a reinicialização dos serviços.

Aqui está o auth.log com a depuração ativada após dois logins bem-sucedidos de usuários. 

 Aug  1 09:42:31 server sshd[6994]: debug1: Forked child 39850.
 Aug  1 09:42:31 server sshd[39850]: debug1: Set /proc/self/oom_score_adj to 0
 Aug  1 09:42:31 server sshd[39850]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
 Aug  1 09:42:31 server sshd[39850]: debug1: inetd sockets after dupping: 3, 3
 Aug  1 09:42:31 server sshd[39850]: Connection from 10.63.61.22 port 58629 on 172.30.17.45 port 22
 Aug  1 09:42:31 server sshd[39850]: debug1: Client protocol version 2.0; client software version WinSCP_release_5.9.2
 Aug  1 09:42:31 server sshd[39850]: debug1: no match: WinSCP_release_5.9.2
 Aug  1 09:42:31 server sshd[39850]: debug1: Enabling compatibility mode for protocol 2.0
 Aug  1 09:42:31 server sshd[39850]: debug1: Local version string SSH-2.0-OpenSSH_7.2p2
 Aug  1 09:42:31 server sshd[39850]: debug1: permanently_set_uid: 110/65534 [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: SSH2_MSG_KEXINIT sent [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: SSH2_MSG_KEXINIT received [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: kex: algorithm: [email protected] [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: rekey after 4294967296 blocks [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
 Aug  1 09:42:31 server sshd[39850]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: rekey after 4294967296 blocks [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: SSH2_MSG_NEWKEYS received [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: KEX done [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: userauth-request for user gooduser service ssh-connection method none [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: attempt 0 failures 0 [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: user gooduser does not match group list ftpaccess at line 102
 Aug  1 09:42:32 server sshd[39850]: debug1: user gooduser does not match group list monetique at line 109
 Aug  1 09:42:32 server sshd[39850]: debug1: PAM: initializing for "gooduser"
 Aug  1 09:42:32 server sshd[39850]: debug1: PAM: setting PAM_RHOST to "10.63.61.22"
 Aug  1 09:42:32 server sshd[39850]: debug1: PAM: setting PAM_TTY to "ssh"
 Aug  1 09:42:32 server sshd[39850]: debug1: userauth_send_banner: sent [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: userauth-request for user gooduser service ssh-connection method password [preauth]
 Aug  1 09:42:32 server sshd[39850]: debug1: attempt 1 failures 0 [preauth]
 Aug  1 09:42:32 server sshd[39850]: pam_krb5(sshd:auth): authentication failure; logname=gooduser uid=0 euid=0 tty=ssh ruser= rhost=10.63.61.22
 Aug  1 09:42:32 server sshd[39850]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.63.61.22  user=gooduser
 Aug  1 09:42:32 server sshd[39850]: pam_winbind(sshd:auth): getting password (0x00000388)
 Aug  1 09:42:32 server sshd[39850]: pam_winbind(sshd:auth): pam_get_item returned a password
 Aug  1 09:42:32 server sshd[39850]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHTOK_EXPIRED (27), NTSTATUS: NT_STATUS_PASSWORD_EXPIRED, Error message was: Password expired
 Aug  1 09:42:32 server sshd[39850]: pam_winbind(sshd:auth): user 'gooduser' password expired
 Aug  1 09:42:32 server sshd[39850]: debug1: PAM: password authentication accepted for gooduser
 Aug  1 09:42:32 server sshd[39850]: debug1: do_pam_account: called
 Aug  1 09:42:44 server sshd[39850]: pam_sss(sshd:account): Access denied for user gooduser: 10 (User not known to the underlying authentication module)
 Aug  1 09:42:44 server sshd[39850]: Accepted password for gooduser from 10.63.61.22 port 58629 ssh2
 Aug  1 09:42:44 server sshd[39850]: debug1: monitor_child_preauth: gooduser has been authenticated by privileged process
 Aug  1 09:42:44 server sshd[39850]: debug1: monitor_read_log: child log fd closed
 Aug  1 09:42:44 server sshd[39850]: debug1: PAM: establishing credentials
 Aug  1 09:42:44 server sshd[39850]: pam_unix(sshd:session): session opened for user gooduser by (uid=0)
 Aug  1 09:42:44 server systemd: pam_sss(systemd-user:account): Access denied for user gooduser: 10 (User not known to the underlying authentication module)
 Aug  1 09:42:44 server systemd: pam_unix(systemd-user:session): session opened for user gooduser by (uid=0)
 Aug  1 09:42:44 server sshd[39850]: User child is on pid 39886
 Aug  1 09:42:44 server sshd[39886]: debug1: SELinux support disabled
 Aug  1 09:42:44 server sshd[39886]: debug1: PAM: establishing credentials
 Aug  1 09:42:44 server sshd[39886]: debug1: permanently_set_uid: 20010/20000
 Aug  1 09:42:44 server sshd[39886]: debug1: rekey after 4294967296 blocks
 Aug  1 09:42:44 server sshd[39886]: debug1: rekey after 4294967296 blocks
 Aug  1 09:42:44 server sshd[39886]: debug1: ssh_packet_set_postauth: called
 Aug  1 09:42:44 server sshd[39886]: debug1: Entering interactive session for SSH2.
 Aug  1 09:42:44 server sshd[39886]: debug1: server_init_dispatch_20
 Aug  1 09:42:44 server sshd[39886]: debug1: server_input_channel_open: ctype session rchan 256 win 2147483647 max 16384
 Aug  1 09:42:44 server sshd[39886]: debug1: input_session_request
 Aug  1 09:42:44 server sshd[39886]: debug1: channel 0: new [server-session]
 Aug  1 09:42:44 server sshd[39886]: debug1: session_new: session 0
 Aug  1 09:42:44 server sshd[39886]: debug1: session_open: channel 0
 Aug  1 09:42:44 server sshd[39886]: debug1: session_open: session 0: link with channel 0
 Aug  1 09:42:44 server sshd[39886]: debug1: server_input_channel_open: confirm session
 Aug  1 09:42:44 server sshd[39415]: debug1: server_input_channel_req: channel 0 request [email protected] reply 1
 Aug  1 09:42:44 server sshd[39415]: debug1: session_by_channel: session 0 channel 0
 Aug  1 09:42:44 server sshd[39415]: debug1: session_input_channel_req: session 0 req [email protected]
 Aug  1 09:42:45 server sshd[39886]: debug1: server_input_channel_req: channel 0 request [email protected] reply 0
 Aug  1 09:42:45 server sshd[39886]: debug1: session_by_channel: session 0 channel 0
 Aug  1 09:42:45 server sshd[39886]: debug1: session_input_channel_req: session 0 req [email protected]
 Aug  1 09:42:45 server sshd[39886]: debug1: server_input_channel_req: channel 0 request subsystem reply 1
 Aug  1 09:42:45 server sshd[39886]: debug1: session_by_channel: session 0 channel 0
 Aug  1 09:42:45 server sshd[39886]: debug1: session_input_channel_req: session 0 req subsystem
 Aug  1 09:42:45 server sshd[39886]: debug1: subsystem: internal-sftp
 Aug  1 09:42:45 server sshd[39886]: Starting session: subsystem 'sftp' for gooduser from 10.63.61.22 port 58629 id 0


 Aug  1 09:44:41 server sshd[6994]: debug1: Forked child 39945.
 Aug  1 09:44:41 server sshd[39945]: debug1: Set /proc/self/oom_score_adj to 0
 Aug  1 09:44:41 server sshd[39945]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
 Aug  1 09:44:41 server sshd[39945]: debug1: inetd sockets after dupping: 3, 3
 Aug  1 09:44:41 server sshd[39945]: Connection from 10.63.61.22 port 58658 on 172.30.17.45 port 22
 Aug  1 09:44:41 server sshd[39945]: debug1: Client protocol version 2.0; client software version WinSCP_release_5.9.2
 Aug  1 09:44:41 server sshd[39945]: debug1: no match: WinSCP_release_5.9.2
 Aug  1 09:44:41 server sshd[39945]: debug1: Enabling compatibility mode for protocol 2.0
 Aug  1 09:44:41 server sshd[39945]: debug1: Local version string SSH-2.0-OpenSSH_7.2p2
 Aug  1 09:44:41 server sshd[39945]: debug1: permanently_set_uid: 110/65534 [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: SSH2_MSG_KEXINIT sent [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: SSH2_MSG_KEXINIT received [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: kex: algorithm: [email protected] [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: rekey after 4294967296 blocks [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: rekey after 4294967296 blocks [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: SSH2_MSG_NEWKEYS received [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: KEX done [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: userauth-request for user baduser service ssh-connection method none [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: attempt 0 failures 0 [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: user baduser does not match group list ftpaccess at line 102
 Aug  1 09:44:41 server sshd[39945]: debug1: user baduser matched group list monetique at line 109
 Aug  1 09:44:41 server sshd[39945]: debug1: PAM: initializing for "baduser"
 Aug  1 09:44:41 server sshd[39945]: debug1: PAM: setting PAM_RHOST to "10.63.61.22"
 Aug  1 09:44:41 server sshd[39945]: debug1: PAM: setting PAM_TTY to "ssh"
 Aug  1 09:44:41 server sshd[39945]: debug1: userauth_send_banner: sent [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: userauth-request for user baduser service ssh-connection method password [preauth]
 Aug  1 09:44:41 server sshd[39945]: debug1: attempt 1 failures 0 [preauth]
 Aug  1 09:44:41 server sshd[39945]: pam_krb5(sshd:auth): user baduser authenticated as [email protected]
 Aug  1 09:44:42 server sshd[39945]: debug1: PAM: password authentication accepted for baduser
 Aug  1 09:44:42 server sshd[39945]: debug1: do_pam_account: called
 Aug  1 09:44:54 server sshd[39945]: pam_sss(sshd:account): Access denied for user baduser: 10 (User not known to the underlying authentication module)
 Aug  1 09:44:54 server sshd[39945]: Accepted password for baduser from 10.63.61.22 port 58658 ssh2
 Aug  1 09:44:54 server sshd[39945]: debug1: monitor_child_preauth: baduser has been authenticated by privileged process
 Aug  1 09:44:54 server sshd[39945]: debug1: monitor_read_log: child log fd closed
 Aug  1 09:44:54 server sshd[39945]: debug1: PAM: establishing credentials
 Aug  1 09:44:54 server sshd[39945]: pam_unix(sshd:session): session opened for user baduser by (uid=0)
 Aug  1 09:44:54 server sshd[39945]: User child is on pid 39979
 Aug  1 09:44:54 server sshd[39979]: debug1: SELinux support disabled
 Aug  1 09:44:54 server sshd[39979]: debug1: PAM: establishing credentials

O que está errado? Obrigado

    
por dev93 01.08.2018 / 11:39

0 respostas

Tags

O Yum ou qualquer outro front end de RPM pode funcionar com dm-verity? Conecte o DS389 ao W2012R2