pam_listfile to limit users domain users SSH access
 

Problem:
Any domain user can log in to my linux servers if I join them to the domain.
Solution:
Use pam_listfile to limit it to one specific group.
Followed this guide http://www.cyberciti.biz/tips/howto-...oup-login.html
Result: Will not work! :-p

Put the following line in my /etc/pam.d/system-auth file:
auth required /lib/security/$ISA/pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

Added the correct AD group to the login.group.allowed file and no worky..
I cannot log in to the server with a domain user in that group. If I remove that line and\or change item=group to user and add my test user id to it it works fine.

messages shows this:
Sep 14 16:23:26 servername sshd[17839]: PAM-listfile: Refused user testid for service sshd
Sep 14 16:23:26 servername sshd(pam_unix)[17839]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1 user=testid
Sep 14 16:23:26 servername sshd[17839]: pam_winbind(sshd): user 'testid' granted access


Any ideas would be GREATLY appreciated.. I am banging my head on the wall on this one and it is probably something stupid I am just overlooking.
Thanks

r3z

you seem to be reinventing the wheel a little. Why not just use /etc/security/access.conf? Or if you want an SSH only solution, set "AllowGroups mygroup" in your /etc/ssh/sshd_config file.

Used the /etc/ssh/sshd_config AllowGroups option and that did the trick!

Thanks!

Personally I don't like that solution, as it's not generic, but it is *very* simple and reliable...

If you have a better solution I am all ears.. ;)

Well as above, i'd prefer using access.conf