Idea ID: 2875532

Proxy SSH connections with Active-Directory account like for RDP connections

Status: Needs Clarification

With PAM you can proxy RDP sessions with an preconfigured Active-Directory account (run User). Some configuration is not working for SSH or SQL Developer connections.

Use Case:

External customers have their Accounts in a dedicated "isolated" domain responsible only for hosting external accounts to authenticate the external users against PAM (authentication is happening through NetIQ AA. When authenticated they can access systems, based on the configured Rules, which are assigned to them. These destination systems are joined into an INTERNAL Active Directory, the external customer must not have an associated AD account from. He must not have any account and password information.

Not only Windows servers must be joined to an Active Directory, also Linux systems can be joined so you can login using AD credentials!

This setup is working well for Windows RDP sessions, but it is not working for SSH Sessions. When i have opened a ticket to get support on this the assigned worker (Shalom Igiraneza) have duplicated the setup on his test environment and confirmed that this is not working. Also he was talking to the developers who confirmed this is currently not supported. 

However everyone I talked to was saying this a valid use case and nobody knows why this is currently not supported.


From Security point of view this would be a huge benefit. There are many companies out there which also joins their Linux systems into active directory, to avoid using local accounts where you cannot force e.g. password policies globally. Where you have an account to employee assignment, where you have no issues with ssk keys, ...

What needs to be done from my end, to get some visibility into this enhancement request together with some priority.


This is an request of our internal Business. PPM is having external customers and within AWS all systems are joined into the domain. So by missing this "feature" we are actively harming our service we provide to external customers.



  • Will you kindly evaluate the information that kprajesh gave and update us on whether it meets your needs?

  • PAM works against any Linux system that is added to AD domain.

    For this to work, the target Linux system should be configured such that the domain name "need not" be passed during login. 

    For this, the below custom configuration of ldap by setting the default domain name on the target system can be done so that the user does not need to pass the domain_name during login.
    The cfg file is /etc/sssd/conf.d/sssd.conf as shown in sample below - 

    1) default_domain_suffix - Mandatory
    2) use_fully_qualified_names - Optional
    domains = my_domain
    services = nss, pam
    config_file_version = 2
    default_domain_suffix = my_domain
    id_provider = ldap
    ldap_uri = ldap://
    ldap_search_base = dc=example,dc=com
    use_fully_qualified_names = False