LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 09-17-2008, 01:35 PM   #1
vicjalan
LQ Newbie
 
Registered: Sep 2008
Location: Altanta, GA
Distribution: RHEL 5, Fedora 8, Fedora 9
Posts: 9

Rep: Reputation: 1
Using pam_listfile.so to limit SSH access in RHEL 5


Hi all,

I'm currently using the pam_listfile.so module to limit ssh access based a list of users (both AD users and local users). Here is what my current etc/pam.d/sshd looks like:

Code:
#%PAM-1.0
auth      required    pam_listfile.so item=user sense=allow file=/etc/security/login.allowed onerr=fail
auth      sufficient  pam_winbind.so

account	  sufficient  pam_winbind.so
account	  required    pam_nologin.so
account	  include     system-auth

password  include     system-auth
password  sufficient  pam_winbind.so use_authtok

session	  optional    pam_keyinit.so force revoke
session	  include     system-auth
session	  required    pam_loginuid.so

My login.allowed file looks like:

Code:
root
administrator
domain+user1
domain+user2
Now what I want to accomplish is to limit the SSH access from a group list instead of a user list, however when I do this, all my AD users get locked out. My configuration was changed to this:

Code:
#%PAM-1.0
auth      required    pam_listfile.so item=group sense=allow file=/etc/security/group.allowed onerr=fail
auth      sufficient  pam_winbind.so

account	  sufficient  pam_winbind.so
account	  required    pam_nologin.so
account	  include     system-auth

password  include     system-auth
password  sufficient  pam_winbind.so use_authtok

session	  optional    pam_keyinit.so force revoke
session	  include     system-auth
session	  required    pam_loginuid.so
and my group.allowed list like so:

Code:
wheel
domain+group1
With this setup, only the users in the wheel group are able to ssh in but not the users in the domain group. I also get this in the /var/log/secure

Code:
pam_listfile(sshd:auth): Refused user domain+user1 for service sshd
So it seems like it is looking in the group.allowed file but doesn't seem to get from AD that the user actually does belong to that group.

Running further tests by running getent group. I get this:

Code:
# getent group domain+group1
DOMAIN+group1:*:11000040:DOMAIN+user1
Could this be a bug in the pam module? That's the only thing I can think of. Any ideas?

Thanks in advanced,
 
Old 09-18-2008, 11:55 AM   #2
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
Could be possible that Linux just can't see the groups that the domain user belongs to, maybe a Samba issue?
 
Old 09-18-2008, 12:40 PM   #3
vicjalan
LQ Newbie
 
Registered: Sep 2008
Location: Altanta, GA
Distribution: RHEL 5, Fedora 8, Fedora 9
Posts: 9

Original Poster
Rep: Reputation: 1
Thanks for your input scheidel21, but I doubt that.

If that was true then I shouldn't be able to see the domain users that belong in the domain group using "getent group <domain group>" command. Or is this command unrelated to what you're referring to?
 
Old 06-18-2010, 02:27 PM   #4
PithyThought
LQ Newbie
 
Registered: Nov 2002
Location: Canada
Distribution: Fedora
Posts: 5

Rep: Reputation: 1
Similar results

It seems I'm trying to do the same thing and running into the same problem. My assumption here is that pam_listfile.so is somehow not aware of winbind. (It's not using an appropriate mechanism such that nsswitch isn't noticing domain groups.) Frustrating - as this seems to be the right way to accomplish this otherwise. So... did you find a solution?

I can probably implement a workaround - but it's frustrating to have to...

Adam
 
Old 06-18-2010, 02:50 PM   #5
PithyThought
LQ Newbie
 
Registered: Nov 2002
Location: Canada
Distribution: Fedora
Posts: 5

Rep: Reputation: 1
solution

I found it. The way to do this sort of limitation is by configuring pam_winbind instead of pam_listfile. Two ways to do that on RHEL 5.5:
1) edit the /etc/pam.d/system-auth OR
2) much better: edit /etc/security/pam_winbind.conf and add something like: require_membership_of = DOMAIN+group

By the way, having an .ssh directory in the user's home directory with an authorized_keys file bypasses the authentication. So you might also want to add "AllowGroups root wheel DOMAIN+group" to your /etc/samba/sshd_config file.

I hope that helps,

Adam
 
Old 10-08-2010, 11:24 PM   #6
vwtech
Member
 
Registered: Dec 2007
Distribution: Fedora, Oracle Linux & Centos
Posts: 197

Rep: Reputation: 26
Lightbulb

Quote:
Originally Posted by vicjalan View Post
Now what I want to accomplish is to limit the SSH access from a group list instead of a user list, however when I do this, all my AD users get locked out. My configuration was changed to this:

Code:
#%PAM-1.0
auth      required    pam_listfile.so item=group sense=allow file=/etc/security/group.allowed onerr=fail
auth      sufficient  pam_winbind.so

account	  sufficient  pam_winbind.so
account	  required    pam_nologin.so
account	  include     system-auth

password  include     system-auth
password  sufficient  pam_winbind.so use_authtok

session	  optional    pam_keyinit.so force revoke
session	  include     system-auth
session	  required    pam_loginuid.so
and my group.allowed list like so:

Code:
wheel
domain+group1
The reason all of the AD users are being locked out is because you need "onerr=succeed" not "onerr=succeed".
I know it seems backward but my studies and what I've found online claim this to be true.
 
Old 11-04-2010, 03:32 PM   #7
ferricoxide
LQ Newbie
 
Registered: Nov 2010
Posts: 12

Rep: Reputation: 0
The problem I've found with using the pam_winbind.conf method is that it doesn't seem to support allowing more than one AD group access. Thus, if you have two users in two different groups and have administrative reasons for not putting them into a common group, using pam_winbind.conf will only provide the ability to allow one or the other group's members to access the system.

The pam_listfile method allows you to specify or match against any number of groups. It's downfall, however, seems to be that it only matches against a user's primary group. Thus, if I have "Domain Users" as my primary group and "Linux Users" as one of my secondary groups, if I try to disallow "Domain Users" (through omission) but allow "Linux Users", I can only do so if I change my AD user's primary group to "Linux Users".

Quote:
Originally Posted by PithyThought View Post
I found it. The way to do this sort of limitation is by configuring pam_winbind instead of pam_listfile. Two ways to do that on RHEL 5.5:
1) edit the /etc/pam.d/system-auth OR
2) much better: edit /etc/security/pam_winbind.conf and add something like: require_membership_of = DOMAIN+group

By the way, having an .ssh directory in the user's home directory with an authorized_keys file bypasses the authentication. So you might also want to add "AllowGroups root wheel DOMAIN+group" to your /etc/samba/sshd_config file.

I hope that helps,

Adam
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Limit of CPU's in RHEL masand Linux - Enterprise 3 02-21-2006 06:16 AM
limit access pop3 server RHEL 4 nasim2 Red Hat 0 02-02-2006 04:38 PM
limit access to SSH server by IP nick1 SUSE / openSUSE 6 03-29-2005 04:36 PM
limit directory access for ssh account spammity Linux - Security 2 02-02-2003 12:36 PM
SSH Q - How to limit access to certain directory Lexx Linux - Networking 1 03-06-2002 05:20 PM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 05:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration