0

Our setup: LDAP server - OpenLDAP with openssh and sudo schemas. Bastion server - accepts SSH from anywhere and authenticates users via public keys stored in LDAP (using sssd) Destination server[s] - should accept SSH only from Bastion server and authenticate users via public keys stored in LDAP (using sssd)

Now this setup works and on destination server the restriction is done via sshd's AllowUsers such as AllowUsers *@bastion_ip

However this has become a problem when due to IDC issues the bastion became not available. Thus rendering all servers not accessible.

As a follow up on this situation I am thinking if there is a way to perform similar restriction, but store bastion_ip in LDAP record for a user (or in another entry), thus allowing to quickly move to another IP in case of similar situations happening.

Is there such way? Or some workaround that I haven't thought of?

Alexey Kamenskiy
  • 794
  • 1
  • 9
  • 23

1 Answers1

0

The only similar thing (which uses a host name though, not an IP) that SSSD supports is the ldap_user_authorized_host property of access_provider=ldap. See man sssd-ldap for more details.

From comment: We triaged the issue with the OP on IRC interactively and it turned out that pam-sss.so wasn't set in the PAM stack which caused the SSSD access provider to not be called at all. Solution is to update pam configs with authconfig --enablesssdauth --update

Alexey Kamenskiy
  • 794
  • 1
  • 9
  • 23
jhrozek
  • 1,370
  • 6
  • 5
  • Okay, I got what you mean with this setting, but I don't seem to be able to make it work. I set `access_provider = ldap` and `ldap_access_order = host`, added relevant schema/ldif and... it is not working. It apparently retrieves the field (judging from sssd logs) but just ignores it completely. Any idea? – Alexey Kamenskiy Apr 27 '17 at 11:50
  • We triaged the issue with the OP on IRC interactively and it turned out that pam-sss.so wasn't set in the PAM stack which caused the SSSD access provider to not be called at all. – jhrozek Apr 28 '17 at 06:36