mjhjmtu

I have set up a solution where the login to our linux systems is regulated by microsoft active Directory and group memberships. Now i want the access time based so that the ad user will be kicked out of the system after a period of time.

I read few Things about RADIUS and its possibilities to do so eventuelly.
What i want to accomplish is...

1. ...that user a will be put into active directory login group but cannot login to the linux system.


2. ... user a can call a website to request access to server x for a few hours or days but only when user a is in this ad group.


3. ... user a will be activated for this Server using his/her ad credentials and if possible a second factor like one time password.


4. ... user a get kicked out of system and wont be able to login again after the persiod of time.

Does anybody has experience with such a scenario or a similar one that could work here? Or knows some helpful Software to accomplish this Goal?

Thank you!

I don't think there is any out of the box solution for that, so you have to work on it.

1. Connecting Linux boxes to Active Directory is relative easy as the AD works as an LDAP and Linux can authenticate against LDAP for ages. There are also some AD specific solution. I would suggest google for "linux sssd active directory" first.




2. I think that's what you have to implement. One possible way: You can add/remove users to groups and the Linux box AD authentication (previous point) can based on group membership.




3. 2nd factor may be independent from the AD, you can setup a 2 factor authentication for your Linux box. One (popular) way is to use google authenticator. (Don't be confused, it's nothing related to Google accounts.)




4. To prevent new logins is easy, based on your choice in the 2nd point, you can remove the user from the group after a timeout or something similar. But I don't know any way to terminate already running sessions... May be you can implement a simple service which kills all user processes based on some condition (again AD group membership?)

You could issue temporary OpenSSH certificates to implement a time-limited SSH login. There are various web pages describing how to do that with ssh-keygen tool. The user would authenticate at a web service and a SSH-CA would issue a OpenSSH certificate (not X.509) valid for a couple of hours or days.

I've also implemented such a SSH-CA component for a customer as a simple state-less web service accessed with a small Python script at the client-side.

But this only prevents users from log-in again with this key after cert expiry. The tricky part is reliably kicking out active user sessions after that time. Especially you should clarify if you really want to do that or just monitor and warn about long-lasting SSH sessions.