PAM - only allow domain group members to log on via ssh?

humbletech99 · 01-24-2006, 11:17 AM

Hi,
I want to allow only one group member from my domain to log in to my gentoo box. Having got the group id (15020), with my uderstanding of PAM, I've done:

Code:

auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_winbind.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_succeed_if.so gid=15020
account    required     pam_winbind.so
account    required     pam_unix.so

password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    sufficient   pam_mkhomedir.so skel=/etc/skel/ umask=0077

domain authentication works fine from before, but it doesn't stop domain users not in the 15020 mapped group from logging in. I've done various permutations of these PAM rules but haven't hit the spot yet, can anyone recommend anything?

Matir · 01-24-2006, 11:42 AM

I don't see anything in "auth" about group 15020.

humbletech99 · 01-24-2006, 11:47 AM

I also tried that but it also didn't do the trick, I read on a web page that account ... was the line to add.

I'm using 2 accounts to test, 1 in the group 1 outside. The changes I've made either allow both to log in or neither.

Is it possible that even when I've got the PAM right, it only compares the primary group that shows up when you do

Code:

getent passwd user

?

If so, this might explain something cos 15020 isn't the primary group of the user who is a member.

Matir · 01-24-2006, 11:53 AM

I would guess that it only works on the primary group id.