Find the answer to your Linux question:
Results 1 to 5 of 5
SSH proxy for authentication with AD Hi All I have a following setup: - Linux servers in DMZ - Active directory servers on LAN Goal: enable AD authentication for users ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2009
    Posts
    6

    SSH proxy for authentication with AD


    SSH proxy for authentication with AD
    Hi All

    I have a following setup:

    - Linux servers in DMZ
    - Active directory servers on LAN

    Goal: enable AD authentication for users on linux servers when logging on via ssh.

    I can join linux serves to AD domain and enable SSO using samba/winbind combination.This has been tried and tested on LAN so this part is sorted.

    To enable users authentication to DMZ I need to setup logon proxy in a separate DMZ ( this is a company rule).DMZ servers would send logon request to logon proxy and it in turn would access Active Directory.
    This is a safe way to do it, and I would rather not have DMZ servers have opened ports to AD.

    Does anyone know what should I use as ssh proxy?
    Maybe LDAP over SSL is better suited for this role?

    I cannot change anything about Active Directory servers as they are manged by different team and security policies do not allow introducing things like read only DC that could help.

    O

    Thank you very much in advance!

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    sounds like (to me) you are going about it right. the dmz is seperate for a reason.

    you don't need an 'ssh' proxy, you just need a proxy to redirect the ad requests on port 389. so you would set up any proxy that sits on the dmz line with a nic in the dmz and a nic on the lan, and proxy requests. We use ISA, but I would imagine you could use any firewall like iptables to nat requests back and forth.

    once you are able to do that you could join your computer to the domain as normal and since ssh uses pam, adjust your pam ssh config to use winbind.

  3. #3
    Just Joined!
    Join Date
    May 2009
    Posts
    6
    Quote Originally Posted by jledhead View Post
    sounds like (to me) you are going about it right. the dmz is seperate for a reason.

    you don't need an 'ssh' proxy, you just need a proxy to redirect the ad requests on port 389. so you would set up any proxy that sits on the dmz line with a nic in the dmz and a nic on the lan, and proxy requests. We use ISA, but I would imagine you could use any firewall like iptables to nat requests back and forth.

    once you are able to do that you could join your computer to the domain as normal and since ssh uses pam, adjust your pam ssh config to use winbind.
    Thank you Jledhead,
    I understand you describe two cases, LDAP and Kerberos .
    I would prefer to use kerberos as password is not travelling between client and server as it is with LDAP.
    Is this correct to assume that proxy in this case is only packet forwarder?Let's say I join DMZ server to domain , then setup packet forwarding for proxy to pass kerberos traffic.I guess I can do a lot of things with iptables to increase security.

    On the other hand I thought that I could eliminate dmz to lan traffic altogether.
    Set up a linux host joined to AD and for each user that need to access DMZ server create ssh key to logon without password .However it does complicate things but could be an alternative to increase security.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    Quote Originally Posted by daugavpils View Post

    On the other hand I thought that I could eliminate dmz to lan traffic altogether.
    Set up a linux host joined to AD and for each user that need to access DMZ server create ssh key to logon without password .However it does complicate things but could be an alternative to increase security.
    I hadn't thought about that but that would probably work and would be a good way to connect without using a password. I am guessing this machine would be joined to AD and then sit on the line between the dmz and the lan and you would essentially be tunneling thru it?

    If I was setting this up now I would probably go with that method. it could be tricky for someone to follow.

    and yes, in my example the 'proxy' would just need to be a packet forwarder. you could run a load balancer on that machine and the dmz machines would connect to the load balancer, which would then nat the connection to the ad servers. lvs comes to mind for something like that.

  6. #5
    Just Joined!
    Join Date
    May 2009
    Posts
    6
    Thank you for your help!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •