LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-09-2008, 06:03 PM   #1
zoltrix
Member
 
Registered: Oct 2004
Distribution: Fedora 11, Ubuntu 9.04, RHEL 4,5 ,Centos 5.1
Posts: 45

Rep: Reputation: 15
Question pam_succeed_if.so help needed for multiple groups


Hi all ,
I want to restrict ssh access to users of 2 groups.
But , from what I saw in pam_succeed_if documentation, it did not look possible. The issue is that one group is a mapped NT group via winbind , and one is a local group on the machine. Any ideas about this can be achieved?

NTgroup = OUusers
Local Group = server_admins

I want only these to be able to login.
 
Old 06-11-2008, 01:24 PM   #2
dlrosen
LQ Newbie
 
Registered: Jun 2008
Posts: 2

Rep: Reputation: 0
Assume in smb.conf the imap uids / guids are starting here:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

then the pam config file would look like this (in our case we're doing this for ssh access so this is the contents of /etc/pam.d/sshd)

#%PAM-1.0
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 16777216
account sufficient pam_succeed_if.so user ingroup windows_group_1
account required pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

every extra ingroup line you add, add 1 to default= . That defines the number of lines to skip if the condition isn't met i.e. it's a local id not an active directory id. The last of the ingroup lines should be set account required, all the others in front of it should be set account sufficient.

For some reason it was necessary to have this line in the system-auth-ac file, putting it in sshd directly didn't work:

auth sufficient pam_winbind.so use_first_pass

But your question is more about mixing and matching a local group and a windows group, not multiple windows groups (although I think there's some value to wanting to do that also). Here's our entire system-auth-ac file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

"include" statements in the sshd file mean read in what you have in system-auth-ac (system-auth is an alias). So the line

account include system-auth

in the sshd file causes these lines:

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

to be read in - the first of which states use the standard Unix authentication modules i.e. /etc/passwrd etc. process. Well I think this is all ok - it's been holding up over the last two days.
 
Old 08-24-2009, 06:12 PM   #3
tmack0
LQ Newbie
 
Registered: Aug 2009
Location: SF Bay Area
Posts: 1

Rep: Reputation: 0
Smile PAM Logical OR

Quote:
Originally Posted by dlrosen View Post
#%PAM-1.0
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 16777216
account sufficient pam_succeed_if.so user ingroup windows_group_1
account required pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
...
Just wanted to point out (yes, I know this is an old thread, but shows up near the top of Google for "Pam Multiple Group" and a few other related topics), this suggested config would completely bypass the system-auth include line if the user is in the windows_group_1 group. The sufficient mode will immediately return success for that check. The way to require one of a set of requirements without breaking the basic checks in the include line is to change to the following:

account [default=ignore success=2] pam_succeed_if.so quiet uid < 16777216
account [default=ignore success=1] pam_succeed_if.so user ingroup windows_group_1
account [default=bad success=ignore] pam_succeed_if.so user ingroup windows_group_2

What happens here is it first checks if the user is local or not (same as OP suggested just flipped the compare to keep syntax the same) and skips the group checking if so (via success=2). Next, it checks for membership in windows_group_1, if a member, it skips out of the group checking and continues at the include system-auth line, otherwise it checks for membership in windows_group_2, and fails the account section if not in that group. You can add as many groups as you like here, just duplicate the windows_group_1 line and increment the numbers in the first two lines (success=3 and success=2, new line stays at success=1) so it will properly skip out of the group checking. The last check line should always have default=bad to fail the section. You probably want to add quiet to both the group checking lines as well so it doesnt log a failure every time someone in windows_group_2 logs in.

This basically sets up a logical OR across a bunch of checks. As shown here, it checks that UID is below a certain minimal value, or that the user is a member of one of either groups presented (ie: ( uid<$x || $user.ingroup(windows_group_1) || $user.ingroup(windows_group_2)) ).
 
Old 08-24-2009, 07:29 PM   #4
zoltrix
Member
 
Registered: Oct 2004
Distribution: Fedora 11, Ubuntu 9.04, RHEL 4,5 ,Centos 5.1
Posts: 45

Original Poster
Rep: Reputation: 15
tmack0: I really appreciate you concern. Thanks for taking the trouble to post this here.
Yes that surely seems is a better way of doin the multiple group thins. I will modify my pam config accordingly.
 
Old 08-25-2009, 09:59 PM   #5
dlrosen
LQ Newbie
 
Registered: Jun 2008
Posts: 2

Rep: Reputation: 0
Excellent !!!

Thanks for the update tmack0. Very slick. So here's the whole file for your cutting and pasting pleasure, just watch out for the ^M at the end of each line that sometimes sneak in - dos2unix will get rid of them.

auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=ignore success=2] pam_succeed_if.so quiet uid < 16777216
account [default=ignore success=1] pam_succeed_if.so user ingroup windows_group_1
account [default=bad success=ignore] pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
 
  


Reply

Tags
groups, multiple, pam, samba, winbind, windows


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can a user be in multiple groups? vitalstrike82 Suse/Novell 2 02-25-2008 09:44 PM
kickstart; how-to info needed for multiple instances of RH OS's and multiple unique v Joe_Wulf Linux - Server 4 06-21-2007 11:18 PM
File with multiple groups? belorion Linux - General 1 09-01-2005 05:45 PM
multiple groups permissions steve007 Linux - Newbie 2 07-01-2005 12:24 PM
More info on groups needed pjdepasq Mandriva 0 02-26-2004 07:49 AM


All times are GMT -5. The time now is 02:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration