Deny login a la access.conf but check local details as well
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Deny login a la access.conf but check local details as well
Hi,
I'm looking at implementing a mechanism like that provided by pam_access / access.conf to only allow certain group members to login to services on a box. As there are many different types of boxes, databases, ldap servers etc... I'm after a way to deploy as consistent a config to all boxes and let the configuration control the behaviour based on additional data, e.g. the local IP address (grouped with netgroups or such) as well as the remote one. This way I could theoretically deploy one single file, or at least very few files, compared to potentially a unique file per box, which is just an arse to manage.
Anyone know of something that might help this sort of solution, or have a better way to look at it?
This sounds like the dominion of SElinux. I don't know for sure, because I always disable it on new installs, but it seems like whenever I've left it enabled, any services that I wanted to use were blocked by it. I assume there are ways to select what is blocked or not.
--- rod.
I don't think SELinux would be relevant, but it's certainly not something that could be retro-enabled after deployment. I don't expect such a thing to exist, I just like things being neat and tidy across my estate.
I'm looking at implementing a mechanism like that provided by pam_access / access.conf to only allow certain group members to login to services on a box. As there are many different types of boxes, databases, ldap servers etc... I'm after a way to deploy as consistent a config to all boxes and let the configuration control the behaviour based on additional data, e.g. the local IP address (grouped with netgroups or such) as well as the remote one.
Just brainstorming: I'm not sure pam_access alone will be able to solve this problem.
Consider an access.conf like:
Code:
+ : @db_group : 10.50.50.0/24
+ : @foo_group : 10.50.51.0/24
- : ALL : ALL
The rules take netgroup and client IP address into consideration. If they would additionally take host IP and/or daemon name, you could easily create one file and roll it out to dozens of servers.
Would this be a candidate for tcp wrappers?
Alternatively, could you combine pam_access's capabilities with some other IP access control at the host level?
Either option would allow you to deploy a single access control file. (But the latter option would require some per-server tweaking as well.)
The more and more i've been thinking about this, the more it seems that I'm actually just looking to push the problem to the servers rather than face up to centrally managing them. Putting one file on all machines exposes the requirements to log into other machines, and as there would be just as many individual exceptions in one file as there would be number of seperate files anyway, I don't think I'd actually be better off anyway.
Thanks for the thoughts, really appreciated, but I think I've talked myself down now.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.