Using pam_listfile.so to limit SSH access in RHEL 5

vicjalan · 09-17-2008, 01:35 PM

Hi all,

I'm currently using the pam_listfile.so module to limit ssh access based a list of users (both AD users and local users). Here is what my current etc/pam.d/sshd looks like:

Code:

#%PAM-1.0
auth      required    pam_listfile.so item=user sense=allow file=/etc/security/login.allowed onerr=fail
auth      sufficient  pam_winbind.so

account	  sufficient  pam_winbind.so
account	  required    pam_nologin.so
account	  include     system-auth

password  include     system-auth
password  sufficient  pam_winbind.so use_authtok

session	  optional    pam_keyinit.so force revoke
session	  include     system-auth
session	  required    pam_loginuid.so

My login.allowed file looks like:

Code:

root
administrator
domain+user1
domain+user2

Now what I want to accomplish is to limit the SSH access from a group list instead of a user list, however when I do this, all my AD users get locked out. My configuration was changed to this:

Code:

#%PAM-1.0
auth      required    pam_listfile.so item=group sense=allow file=/etc/security/group.allowed onerr=fail
auth      sufficient  pam_winbind.so

account	  sufficient  pam_winbind.so
account	  required    pam_nologin.so
account	  include     system-auth

password  include     system-auth
password  sufficient  pam_winbind.so use_authtok

session	  optional    pam_keyinit.so force revoke
session	  include     system-auth
session	  required    pam_loginuid.so

and my group.allowed list like so:

Code:

wheel
domain+group1

With this setup, only the users in the wheel group are able to ssh in but not the users in the domain group. I also get this in the /var/log/secure

Code:

pam_listfile(sshd:auth): Refused user domain+user1 for service sshd

So it seems like it is looking in the group.allowed file but doesn't seem to get from AD that the user actually does belong to that group.

Running further tests by running getent group. I get this:

Code:

# getent group domain+group1
DOMAIN+group1:*:11000040:DOMAIN+user1

Could this be a bug in the pam module? That's the only thing I can think of. Any ideas?

Thanks in advanced,

scheidel21 · 09-18-2008, 11:55 AM

Could be possible that Linux just can't see the groups that the domain user belongs to, maybe a Samba issue?

vicjalan · 09-18-2008, 12:40 PM

Thanks for your input scheidel21, but I doubt that.

If that was true then I shouldn't be able to see the domain users that belong in the domain group using "getent group <domain group>" command. Or is this command unrelated to what you're referring to?

PithyThought · 06-18-2010, 02:27 PM

It seems I'm trying to do the same thing and running into the same problem. My assumption here is that pam_listfile.so is somehow not aware of winbind. (It's not using an appropriate mechanism such that nsswitch isn't noticing domain groups.) Frustrating - as this seems to be the right way to accomplish this otherwise. So... did you find a solution?

I can probably implement a workaround - but it's frustrating to have to...

Adam

PithyThought · 06-18-2010, 02:50 PM

I found it. The way to do this sort of limitation is by configuring pam_winbind instead of pam_listfile. Two ways to do that on RHEL 5.5:
1) edit the /etc/pam.d/system-auth OR
2) much better: edit /etc/security/pam_winbind.conf and add something like: require_membership_of = DOMAIN+group

By the way, having an .ssh directory in the user's home directory with an authorized_keys file bypasses the authentication. So you might also want to add "AllowGroups root wheel DOMAIN+group" to your /etc/samba/sshd_config file.

I hope that helps,

Adam

vwtech · 10-08-2010, 11:24 PM

Quote:

Originally Posted by vicjalan

Now what I want to accomplish is to limit the SSH access from a group list instead of a user list, however when I do this, all my AD users get locked out. My configuration was changed to this:

Code:

#%PAM-1.0
auth      required    pam_listfile.so item=group sense=allow file=/etc/security/group.allowed onerr=fail
auth      sufficient  pam_winbind.so

account	  sufficient  pam_winbind.so
account	  required    pam_nologin.so
account	  include     system-auth

password  include     system-auth
password  sufficient  pam_winbind.so use_authtok

session	  optional    pam_keyinit.so force revoke
session	  include     system-auth
session	  required    pam_loginuid.so

and my group.allowed list like so:

Code:

wheel
domain+group1

The reason all of the AD users are being locked out is because you need "onerr=succeed" not "onerr=succeed".
I know it seems backward but my studies and what I've found online claim this to be true.

ferricoxide · 11-04-2010, 03:32 PM

The problem I've found with using the pam_winbind.conf method is that it doesn't seem to support allowing more than one AD group access. Thus, if you have two users in two different groups and have administrative reasons for not putting them into a common group, using pam_winbind.conf will only provide the ability to allow one or the other group's members to access the system.

The pam_listfile method allows you to specify or match against any number of groups. It's downfall, however, seems to be that it only matches against a user's primary group. Thus, if I have "Domain Users" as my primary group and "Linux Users" as one of my secondary groups, if I try to disallow "Domain Users" (through omission) but allow "Linux Users", I can only do so if I change my AD user's primary group to "Linux Users".

Quote:

Originally Posted by PithyThought

I found it. The way to do this sort of limitation is by configuring pam_winbind instead of pam_listfile. Two ways to do that on RHEL 5.5:
1) edit the /etc/pam.d/system-auth OR
2) much better: edit /etc/security/pam_winbind.conf and add something like: require_membership_of = DOMAIN+group

By the way, having an .ssh directory in the user's home directory with an authorized_keys file bypasses the authentication. So you might also want to add "AllowGroups root wheel DOMAIN+group" to your /etc/samba/sshd_config file.

I hope that helps,

Adam