I'm currently having a tiny problem with PAM. Maybe someone around here can help me out
Okay what I'm trying to do and always have done on other linux boxes, I want to limit logins via ssh to specific users.
What I've always is done is this:
/etc/pam.d/sshd #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so #  auth required pam_listfile.so onerr=succeed item=user sense=allow file=/etc/ssh/loginusers auth required pam_securetty.so account required pam_unix.so account required pam_time.so password required pam_unix.so session required pam_unix_session.so session required pam_limits.so session optional pam_motd.so #  session optional pam_mail.so standard noenv
The key in this all is the line:
auth required pam_listfile.so onerr=succeed item=user sense=allow file=/etc/ssh/loginusers
This works works great on my Debian box, but I can't seem to get it to work on AL. Does anybody know what's wrong, in which other way I can achieve this?
Thanks in advance.
First, why do you have 'onerr=succeed' instead of 'onerr=fail'? The 'fail' option will deny the user access via sshd; and this seems the appropriate result.
Second, here's a nice trick to do what you want from:
http://doc.trustix.org/cgi-bin/trustixd … tSSHByUser
"How to restrict SSH Logins by username
Some times, it is useful to let only certain people log in through SSH. While this can be done by setting all the other users shells to something not useable as a login shell (like /bin/false), distributed account services such as NIS / Yellow Pages can make this difficult.
Here is a neat trick for using PAM to restrict user logins. (taken from a posting to tsl-discuss by Jonathan Gonzalez <email-lists at surestorm dot com>)
You need to do two things:
Add a line in /etc/pam.d/sshd to tell pam to first of all validate user accounts against a file listing allowed accounts.
Create the file listing allowed users.
File: /etc/pam.d/sshd (put this at the top of the file, above the rest of lines)
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail
File: /etc/ssh/pam.sshd (this file does not exist. Create it!)
# List of users that may log in via ssh daemon
Oh doh, yes, you're completely right, I used this method on a box which had minimal users, so I only needed to deny access to a few users and allow the rest doh
The method you describe is exactly the same as I have, but the other way around.
Thanks for pointing it out though