Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Hi all ,
I want to restrict ssh access to users of 2 groups.
But , from what I saw in pam_succeed_if documentation, it did not look possible. The issue is that one group is a mapped NT group via winbind , and one is a local group on the machine. Any ideas about this can be achieved?
then the pam config file would look like this (in our case we're doing this for ssh access so this is the contents of /etc/pam.d/sshd)
#%PAM-1.0
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 16777216
account sufficient pam_succeed_if.so user ingroup windows_group_1
account required pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
every extra ingroup line you add, add 1 to default= . That defines the number of lines to skip if the condition isn't met i.e. it's a local id not an active directory id. The last of the ingroup lines should be set account required, all the others in front of it should be set account sufficient.
For some reason it was necessary to have this line in the system-auth-ac file, putting it in sshd directly didn't work:
auth sufficient pam_winbind.so use_first_pass
But your question is more about mixing and matching a local group and a windows group, not multiple windows groups (although I think there's some value to wanting to do that also). Here's our entire system-auth-ac file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
to be read in - the first of which states use the standard Unix authentication modules i.e. /etc/passwrd etc. process. Well I think this is all ok - it's been holding up over the last two days.
#%PAM-1.0
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=2 success=ignore] pam_succeed_if.so quiet uid >= 16777216
account sufficient pam_succeed_if.so user ingroup windows_group_1
account required pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
...
Just wanted to point out (yes, I know this is an old thread, but shows up near the top of Google for "Pam Multiple Group" and a few other related topics), this suggested config would completely bypass the system-auth include line if the user is in the windows_group_1 group. The sufficient mode will immediately return success for that check. The way to require one of a set of requirements without breaking the basic checks in the include line is to change to the following:
What happens here is it first checks if the user is local or not (same as OP suggested just flipped the compare to keep syntax the same) and skips the group checking if so (via success=2). Next, it checks for membership in windows_group_1, if a member, it skips out of the group checking and continues at the include system-auth line, otherwise it checks for membership in windows_group_2, and fails the account section if not in that group. You can add as many groups as you like here, just duplicate the windows_group_1 line and increment the numbers in the first two lines (success=3 and success=2, new line stays at success=1) so it will properly skip out of the group checking. The last check line should always have default=bad to fail the section. You probably want to add quiet to both the group checking lines as well so it doesnt log a failure every time someone in windows_group_2 logs in.
This basically sets up a logical OR across a bunch of checks. As shown here, it checks that UID is below a certain minimal value, or that the user is a member of one of either groups presented (ie: ( uid<$x || $user.ingroup(windows_group_1) || $user.ingroup(windows_group_2)) ).
tmack0: I really appreciate you concern. Thanks for taking the trouble to post this here.
Yes that surely seems is a better way of doin the multiple group thins. I will modify my pam config accordingly.
Thanks for the update tmack0. Very slick. So here's the whole file for your cutting and pasting pleasure, just watch out for the ^M at the end of each line that sometimes sneak in - dos2unix will get rid of them.
auth include system-auth
auth sufficient pam_winbind.so
account required pam_nologin.so
account [default=ignore success=2] pam_succeed_if.so quiet uid < 16777216
account [default=ignore success=1] pam_succeed_if.so user ingroup windows_group_1
account [default=bad success=ignore] pam_succeed_if.so user ingroup windows_group_2
account include system-auth
password include system-auth
password sufficient pam_winbind.so use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.