pam_listfile to limit users domain users SSH access
Problem:
Any domain user can log in to my linux servers if I join them to the domain. Solution: Use pam_listfile to limit it to one specific group. Followed this guide http://www.cyberciti.biz/tips/howto-...oup-login.html Result: Will not work! :-p Put the following line in my /etc/pam.d/system-auth file: auth required /lib/security/$ISA/pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed Added the correct AD group to the login.group.allowed file and no worky.. I cannot log in to the server with a domain user in that group. If I remove that line and\or change item=group to user and add my test user id to it it works fine. messages shows this: Sep 14 16:23:26 servername sshd[17839]: PAM-listfile: Refused user testid for service sshd Sep 14 16:23:26 servername sshd(pam_unix)[17839]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1 user=testid Sep 14 16:23:26 servername sshd[17839]: pam_winbind(sshd): user 'testid' granted access Any ideas would be GREATLY appreciated.. I am banging my head on the wall on this one and it is probably something stupid I am just overlooking. Thanks r3z |
you seem to be reinventing the wheel a little. Why not just use /etc/security/access.conf? Or if you want an SSH only solution, set "AllowGroups mygroup" in your /etc/ssh/sshd_config file.
|
Quote:
Thanks! |
Personally I don't like that solution, as it's not generic, but it is *very* simple and reliable...
|
If you have a better solution I am all ears.. ;)
|
Well as above, i'd prefer using access.conf
|
All times are GMT -5. The time now is 01:08 PM. |