1

I'm trying to check if a user who connects to a linux server via SSH is authentificated using Active Directory (Centrify).

In case he uses a local account (located in /etc/passwd), I need to display a warning asking him to use his Active Directory account and then prompt login again.

My first attempt was using PAM module pam_script inside /etc/pam.d/login to execute a script that checks if the current username exists in /etc/passwd whenever a user log in, display a warning if found and call the login command again.

I added the following line to /etc/pam.d/login

session    required    pam_script.so runas=root

This line execute a script file located in /etc/security/onsessionopen which contain:

#!/bin/sh
username=$1

if [ $(grep -c '^'$username':' /etc/passwd) = 1 ] 
then
    echo "Warning, please user your AD credentials"
    login
fi

But the same scenario didn't work in /etc/pam.d/sshd. When using SSH the script does run but doesn't display text or prompt for login.

Any thoughts ? Thank you

Improve this question

4 Answers 4

Reset to default
0

Using id it is relatively easy to know if you are connected from ad or local /etc/passwd. next step would be to have a function in /etc/profile that will issue the warning message.

Improve this answer
2
  • Hello and thank you for your answer, I did your suggestion, but I'm wondering how to re-invoke the login step inside /etc/profile after displaying the warning. Commented Jul 13, 2016 at 13:30
  • @WinkoBit don't try to reinvoke login. It's far easier to throw the user out and let them try again. Commented Jul 14, 2016 at 20:05
0

Changing the shell for relevant accounts in /etc/passwd would work well

Put this into (say) /usr/local/etc/mustuseadlogin and make it executable:

#!/bin/sh
echo
echo "Please log in with AD authentication" >&2
echo
sleep 10
exit 0

Now edit /etc/passwd (ideally with vipw) and change the last field for all affected accounts to be /usr/local/etc/mustuseadlogin. For example,

roaima:x:1001:1001:I am roaima:/home/roaima:/usr/local/etc/mustuseadlogin
Improve this answer
0

Awesome solution for standard 'login'. Unfortunately, I don't think you'll have much luck getting this same behavior going for 'sshd'. This is due to the fundamental connection procedures which sshd utilizes when establishing a connection. By the time we get so far as the PAM stack (or profile bits, as in the other suggestion), the username is already resolved; as submitted by the SSH client.

Here's a resource that may shed more light on this: https://serverfault.com/questions/330310/force-ssh-to-prompt-for-user

Given this info, I would suggest that an ideal solution may be to stick with your script (or /etc/profile addition), however for the 'sshd' stack; rather than hit 'login', have it sleep for 10s or what-have-you (to ensure the warning is seen), and then have the session closed.

Improve this answer
0

The pam_script module uses its exit status to tell the calling stack what to do. Change your code to this, and it'll work:

#!/bin/bash
username="$1"

if [[ root != "$username" ]] && grep -q '^'"$username"':' /etc/passwd
then
    echo "Warning, please user your AD credentials"
    exit 1
fi
exit 0

I've excluded root from the block. You can adjust the [[ ... ]] test for UIDs < 500, etc., to apply to your own scenario.

Improve this answer
2
  • 1
    make sure root can connect. Commented Jul 14, 2016 at 17:58
  • @Archemar thank you for that suggestion. Code updated (I do prefer my other answer, though.) Commented Jul 14, 2016 at 20:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.