authd icon indicating copy to clipboard operation
authd copied to clipboard
verified publisher icon ubuntu

Feature: Allow login only for specific Entra group

Open valluwtf opened this issue 1 year ago • 4 comments

Is there an existing request for this feature?

  • [X] I have searched the existing issues and found none that matched mine

Describe the feature

It would be great if one could allow multiple users to authenticate on multiple servers with different access rights through group membership, but all in one Entra ID Application by adding the users to groups in Entra which authd then allows.

Describe the ideal solution

I edit the broker config file with allowed groups on each host

allowed_group: <HOSTNAME1>

and on login, authd validates with the token if the user is part of that group and then allows or declines login.

Alternatives and current workarounds

Currently I would say the only workaround for granting dedicated access is to have a single Entra Application for each host, which would work but is not really ideal if you have more than a handful of hosts....

System information and logs

Environment

  • broker version: please run snap info authd-msentraid
  • authd version: please run /usr/libexec/authd version
  • gnome shell version: please run apt policy gnome-shell
  • Distribution: (NAME in /etc/os-release)
  • Distribution version: (VERSION_ID on /etc/os-release):

Log files

Please redact/remove sensitive information:

Authd entries:

journalctl -u authd.service

MS Entra ID broker entries:

journalctl -u snap.authd-msentraid.authd-msentraid.service

Application settings

Please redact/remove sensitive information:

Broker configuration:

cat /var/snap/authd-msentraid/current/broker.conf

Broker authd configuration:

cat /etc/authd/brokers.d/msentraid.conf

Relevant information

No response

Double check your logs

  • [X] I have redacted any sensitive information from the logs

valluwtf avatar Oct 18 '24 09:10 valluwtf

Well.. I just added AllowGroups setting in sshd.config and that fixes this easily so this feature is not really necessary for us anymore since we only use ssh login.

valluwtf avatar Oct 18 '24 10:10 valluwtf

you can also set a group when creating the Azure Application as well. it limits who can login

namato1 avatar Dec 20 '24 02:12 namato1

AllowGroups is not working for me. I tried adding an entra group name in AllowGroups and it prevent my user to signin. Ssh is always returning "authentication failure: incorrect password" in the Local Password Authentication And I can't type 'r' to cancel the request and go back to the provider selection

Titaye avatar Apr 15 '25 12:04 Titaye

And I can't type 'r' to cancel the request and go back to the provider selection

That's normal, once you chose to go through the local way, it's just normal PAM access.

3v1n0 avatar Apr 15 '25 12:04 3v1n0