Hi all,
I'm currently using the pam_listfile.so module to limit ssh access based a list of users (both AD users and local users). Here is what my current etc/pam.d/sshd looks like:
Code:
#%PAM-1.0
auth required pam_listfile.so item=user sense=allow file=/etc/security/login.allowed onerr=fail
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
account required pam_nologin.so
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
My login.allowed file looks like:
Code:
root
administrator
domain+user1
domain+user2
Now what I want to accomplish is to limit the SSH access from a group list instead of a user list, however when I do this, all my AD users get locked out. My configuration was changed to this:
Code:
#%PAM-1.0
auth required pam_listfile.so item=group sense=allow file=/etc/security/group.allowed onerr=fail
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
account required pam_nologin.so
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
and my group.allowed list like so:
Code:
wheel
domain+group1
With this setup, only the users in the wheel group are able to ssh in but not the users in the domain group. I also get this in the /var/log/secure
Code:
pam_listfile(sshd:auth): Refused user domain+user1 for service sshd
So it seems like it is looking in the group.allowed file but doesn't seem to get from AD that the user actually does belong to that group.
Running further tests by running getent group. I get this:
Code:
# getent group domain+group1
DOMAIN+group1:*:11000040:DOMAIN+user1
Could this be a bug in the pam module? That's the only thing I can think of. Any ideas?
Thanks in advanced,