Issue with any user in any AD Domain can SSH into a Linux host

Question

Issue with any user in any AD Domain can SSH into a Linux host

Closed this issue 5 years ago · 2 comments

Version: Compiled daemon version: 9.0.2.534, Packaged product version: 9.0.534.497
OS/Distro: CentOS Linux release 7.6.1810 (Core)
Issue/Impact: After rolling out the pbis-open agent on hundreds of CentOS Linux hosts,
it was brought to my attention that any created user on any Active Directory Domain,
now has the ability to SSH into these hosts. I am new to the product so bare with me.
I was under the impression that only users I allow, based on my AD security groups would
have the ability to SSH into these hosts. I know they can't sudo, which is fine and well,
but now any domain user has the ability to SSH into these hosts, that I do not want.
Is this by design? I looked through the documentation and I don't see any way to lock this down.
How should I configure this so that only users in certain groups have the ability to SSH?

sudo systemctl status lwsmd.service
● lwsmd.service - BeyondTrust AD Bridge Service Manager
Loaded: loaded (/usr/lib/systemd/system/lwsmd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-08-04 04:45:48 CDT; 2 days ago
Process: 5330 ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon (code=exited, status=0/SUCCESS)
Main PID: 5521 (lwsmd)
Tasks: 111
CGroup: /system.slice/lwsmd.service
├─5521 /opt/pbis/sbin/lwsmd --start-as-daemon
├─5534 lw-container lwreg
├─5570 lw-container eventlog
├─5596 lw-container netlogon
├─5692 lw-container lwio
├─5761 lw-container lsass
└─5808 lw-container reapsysl

sudo /opt/pbis/bin/lwsm list
lwreg running (container: 5534)
dcerpc stopped
eventlog running (container: 5570)
lsass running (container: 5761)
lwio running (container: 5692)
netlogon running (container: 5596)
rdr running (io: 5692)
reapsysl running (container: 5808)
usermonitor stopped

sudo domainjoin-cli query
Name = servername
Domain = somedomain
Distinguished Name = CN=hostname,OU=Servers,OU=Servers,DC=something,DC=something

Don't feel safe attaching lsass.log to much information in there.

Answer 1 · 2019-08-06T14:04:59.000Z

Its probably obvious but it is not any AD domain user that can login, it is users in the domain you've joined (and those domains to which you have two way trusts).

You can restrict who can login via the RequireMembershipOf config item; see the Config Tool Reference Guide. I'll see if we can add an item to the Open Quick Start Guide to highlight this.

Answer 2 · 2019-08-06T17:19:29.000Z

Yes you are correct, these are domains with 2-way trusts. Thank you for the config command that helped, I did not see that in the instructions, must have overlooked it. Thank you for all your help.