I use AD authentication in my environment (for password-based authentication)
- A valid AD user logs in to the Ubuntu Linux server via SSH
- That user adds his public key to ~/.ssh/authorized_keys for passwordless login
- I disable/lock/delete the AD user to prevent him from logging in
- The user was still able to login to the server, since his public key is still there!
Expected Scenario: If I disable/lock/delete a user’s AD account (or his AD password expires), he shouldn’t be able to login to any server with his AD account, even if his public key is installed there.
To allow this, you just need to add this to /etc/ssh/sshd_config:
AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"
This will allow you to login ONLY if you have your public key installed on the server AND enter your AD password.
I would suggest this to be in PROD systems only.
Now you have the security advantages of both PKI & AD!