Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are trying to use PAM and /etc/security/access.conf to lock down logins to our servers to specific netgroups and I think we have run into a bug. Our OS is OEL 6.5 and we are running the most recent PAM release, pam-1.1.1-17.el6.x86_64. When we first configured our servers to use netgroups they worked perfectly, but over several weeks users started getting locked out and now now one can login unless we completely disable access.conf. I had a clone of one of these servers with a VM snapshot and I rolled back to the snapshot and can now login to that server again - but I would assume I will eventually be locked out again. We have an OEL 5 server that we have set this up on as well and that has not encountered any problems. tcpdump on the OEL 5 server shows it querying our LDAP for the username, then querying for the allowed netgroups until it finds a match. But I don't see our OEL 6 servers ever querying for the netgroups. Is anyone here familiar with doing this type of authentication and/or encountered this situation?
# cat sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_access.so debug
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
When netgroups checking is working properly, I can see in /var/log/secure
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): line 122: + : @sysadmin : ALL
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): list_match: list= @sysadmin , item=ej
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): user_match: tok=@sysadmin, item=ej
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): netgroup_match: 1 (netgroup=sysadmin, machine=NULL, user=ej, domain=)
Mar 19 14:23:22 or-CLONE sshd[9633]: pam_access(sshd:account): user_match=1, "ej"
When it stops working, it will report user_match=0 "ej", then proceed to check the next netgroup UXorprd, then it hits the - : ALL : ALL in access.conf and kicks me off.
I have another test user account that I set up to be in both sysadmin and UXorprd netgroups and that user is failing at every step - sysadmin check, UXorprd, and then kicked off.
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): line 122: + : @sysadmin : ALL
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= @sysadmin , item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match: tok=@sysadmin, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): netgroup_match: 0 (netgroup=sysadmin, machine=NULL, user=ejtest10, domain=)
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match=0, "ejtest10"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): line 123: + : @UXorprd : ALL
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= @UXorprd , item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match: tok=@UXorprd, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): netgroup_match: 0 (netgroup=UXorprd, machine=NULL, user=ejtest10, domain=)
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match=0, "ejtest10"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): line 124: - : ALL : ALL
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= ALL , item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match: tok=ALL, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): string_match: tok=ALL, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): user_match=2, "ejtest10"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): list_match: list= ALL, item=ejtest10
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): from_match: tok=ALL, item=10.0.12.11
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): string_match: tok=ALL, item=10.0.12.11
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): from_match=2, "10.0.12.11"
Mar 19 14:23:34 or-CLONE sshd[9655]: pam_access(sshd:account): access denied for user `ejtest10' from `10.0.12.11'
Mar 19 14:23:34 or-CLONE sshd[9656]: fatal: Access denied for user ejtest10 by PAM account configuration
This is an NIS netgroup that we are using, but this seems to be working now removing the @. I created a new user that has never had access to either of my allowed groups and that user is being blocked. However, I removed my other test user from both groups (it had previously been in both of my test groups) and that user is still able to login. I tried restarting nslcd but still can login. Could the user info for the old user be cached somehow?
This is an NIS netgroup that we are using, but this seems to be working now removing the @. I created a new user that has never had access to either of my allowed groups and that user is being blocked. However, I removed my other test user from both groups (it had previously been in both of my test groups) and that user is still able to login. I tried restarting nslcd but still can login. Could the user info for the old user be cached somehow?
Are you using sssd? If so then yes, the user may be cached
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.