On Fri, 12 Feb 2010, Sean Carolan wrote: > > For example, we might have a group called "db-ssh" that defines a user > > group allowed to access database servers. ?Then we just make sure DB > > hosts get "AllowGroups db-ssh" added to their SSH configs. ?Plopping a > > user into the db-ssh group in LDAP then gives that person access to all > > the boxes that group is allowed to access with one LDAP entry. > > Ok, so I have a group called "operations" and have placed some users > in it. "getent group" shows the group: > > operations:*:10000:scarolan,user2,user3,user4 > > I tried putting "AllowGroups operations" into my sshd_config but I > just get "invalid user" errors from sshd. Am I missing something > here? Is "invalid user" all you're seeing in the log? Generally, at least with OpenSSH, if the user is being denied because it's not in a valid group, the logs will say so. They'll also generally tell you if it's because it couldn't find the user at all (often with exactly what it did to try to find the user). If that sort of information is not there, you might try increasing the debugging level in your logs.
