You are not logged in.

#1 2004-04-03 10:33:02

Olli
Member
Registered: 2004-04-01
Posts: 57

I need some PAM help

Hey all,

I'm currently having a tiny problem with PAM. Maybe someone around here can help me out smile

Okay what I'm trying to do and always have done on other linux boxes, I want to limit logins via ssh to specific users.

What I've always is done is this:

/etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so # [1]
auth       required     pam_listfile.so onerr=succeed item=user sense=allow file=/etc/ssh/loginusers
auth       required     pam_securetty.so

account    required     pam_unix.so
account    required     pam_time.so

password   required     pam_unix.so

session    required     pam_unix_session.so
session    required     pam_limits.so
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv 

The key in this all is the line:
auth       required     pam_listfile.so onerr=succeed item=user sense=allow file=/etc/ssh/loginusers

This works works great on my Debian box, but I can't seem to get it to work on AL. Does anybody know what's wrong, in which other way I can achieve this?

Thanks in advance.


DIY: Doom-It-Yourself

Offline

#2 2004-04-07 03:54:10

Win
Member
Registered: 2004-03-04
Posts: 155

Re: I need some PAM help

Hi Olli.

First, why do you have 'onerr=succeed' instead of 'onerr=fail'? The 'fail' option will deny the user access via sshd; and this seems the appropriate result.

Second, here's a nice trick to do what you want from:
http://doc.trustix.org/cgi-bin/trustixd … tSSHByUser

"How to restrict SSH Logins by username

Some times, it is useful to let only certain people log in through SSH. While this can be done by setting all the other users shells to something not useable as a login shell (like /bin/false), distributed account services such as NIS / Yellow Pages can make this difficult.

Here is a neat trick for using PAM to restrict user logins. (taken from a posting to tsl-discuss by Jonathan Gonzalez <email-lists at surestorm dot com>)

You need to do two things:

Add a line in /etc/pam.d/sshd to tell pam to first of all validate user accounts against a file listing allowed accounts.

Create the file listing allowed users.

File: /etc/pam.d/sshd (put this at the top of the file, above the rest of lines)

auth    required   /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail

File: /etc/ssh/pam.sshd (this file does not exist. Create it!)

# List of users that may log in via ssh daemon
root
oysteivi
otheradmin"

Regards,

Win

Offline

#3 2004-04-09 11:15:49

Olli
Member
Registered: 2004-04-01
Posts: 57

Re: I need some PAM help

Oh doh, yes, you're completely right, I used this method on a box which had minimal users, so I only needed to deny access to a few users and allow the rest doh smile

The method you describe is exactly the same as I have, but the other way around.

Thanks for pointing it out though smile


DIY: Doom-It-Yourself

Offline

Board footer

Powered by FluxBB