1

I have a network of Centos 7 machines hosting sshd, each of which is configured to lookup a user's public keys in an LDAP directory for ssh authentication.

Furthermore, all ssh users that have access to these Centos boxes are divided into one of two groups in the directory: users or admins.

I would like to make sure all users in the users group have their shell set to /bin/false and all users in the admins group have their shell set to /bin/bash.

In SSSD, the following successfully sets the shell for all users to /bin/false:

[domain/mydomain.com]
override_shell = /bin/false

Is there a way to set the shell for each AD group separately? Something like the following?

[domain/users@mydomain.com]
override_shell = /bin/false

[domain/admins@mydomain.com]
override_shell = /bin/bash

If so, how?

ewwhite
  • 197,159
  • 92
  • 443
  • 809
StudentsTea
  • 165
  • 9
  • Are you trying to manage access to your machines (say for ssh logins)? – Andy Oct 12 '15 at 20:34
  • There must be a better way to do this, like for instance setting the shell in AD... – Michael Hampton Oct 12 '15 at 20:48
  • @Andy - I'm trying to make it so that only network admins can start a shell session in the SSH bastion server. – StudentsTea Oct 12 '15 at 20:56
  • @MichaelHampton - Setting shell per user in AD would definitely be a maintenance nightmare--and not what I'm looking for. I'm trying to set the shell for users in particular groups on particular machines. Say user Joe is in the just-some-guy group. I want him to have /bin/bash access on his workstation, but not on the ssh bastion. He needs to ssh through the bastion to get to his workstation. – StudentsTea Oct 12 '15 at 20:59

1 Answers1

1

You're looking for the sss_override tool that was added in upstream 1.13 version and will be added to RHEL-7.2.

At the moment, the shell overrides are global.

jhrozek
  • 1,370
  • 6
  • 5