Deny login a la access.conf but check local details as well

acid_kewpie · 06-17-2009, 03:29 PM

Hi,

I'm looking at implementing a mechanism like that provided by pam_access / access.conf to only allow certain group members to login to services on a box. As there are many different types of boxes, databases, ldap servers etc... I'm after a way to deploy as consistent a config to all boxes and let the configuration control the behaviour based on additional data, e.g. the local IP address (grouped with netgroups or such) as well as the remote one. This way I could theoretically deploy one single file, or at least very few files, compared to potentially a unique file per box, which is just an arse to manage.

Anyone know of something that might help this sort of solution, or have a better way to look at it?

theNbomr · 06-18-2009, 08:37 AM

This sounds like the dominion of SElinux. I don't know for sure, because I always disable it on new installs, but it seems like whenever I've left it enabled, any services that I wanted to use were blocked by it. I assume there are ways to select what is blocked or not.
--- rod.

acid_kewpie · 06-18-2009, 10:22 AM

I don't think SELinux would be relevant, but it's certainly not something that could be retro-enabled after deployment. I don't expect such a thing to exist, I just like things being neat and tidy across my estate.

anomie · 06-20-2009, 11:25 PM

Quote:

Originally Posted by acid_kewpie

I'm looking at implementing a mechanism like that provided by pam_access / access.conf to only allow certain group members to login to services on a box. As there are many different types of boxes, databases, ldap servers etc... I'm after a way to deploy as consistent a config to all boxes and let the configuration control the behaviour based on additional data, e.g. the local IP address (grouped with netgroups or such) as well as the remote one.

Just brainstorming: I'm not sure pam_access alone will be able to solve this problem.

Consider an access.conf like:

Code:

+ : @db_group : 10.50.50.0/24
+ : @foo_group : 10.50.51.0/24
- : ALL : ALL

The rules take netgroup and client IP address into consideration. If they would additionally take host IP and/or daemon name, you could easily create one file and roll it out to dozens of servers.

Would this be a candidate for tcp wrappers?

Alternatively, could you combine pam_access's capabilities with some other IP access control at the host level?

Either option would allow you to deploy a single access control file. (But the latter option would require some per-server tweaking as well.)

acid_kewpie · 06-22-2009, 05:01 AM

The more and more i've been thinking about this, the more it seems that I'm actually just looking to push the problem to the servers rather than face up to centrally managing them. Putting one file on all machines exposes the requirements to log into other machines, and as there would be just as many individual exceptions in one file as there would be number of seperate files anyway, I don't think I'd actually be better off anyway.

Thanks for the thoughts, really appreciated, but I think I've talked myself down now.

Cheers.