Pam_access and netgroups

Patrick Kile patrick at socialcast.com
Mon Aug 27 21:46:02 UTC 2012 

I'm trying to get restricted ssh login working and running into an issue
with pam_access.so and how it interprets netgroups.

Pam 1.1.3 on Ubuntu 12.04

Netgroup:
UserDev ( ,alloweduser, )
SystemDev (host.sub.domain.com,,)

Here is the /etc/security/access.conf file:
+ : root :ALL
+ : @UserDev@@SystemDev : ALL

Relevant /etc/pam.d/sshd config:
account required pam_access.so debug

And here is what happens when alloweduser logs in via ssh:

login_access: user=alloweduser, from=192.168.1.10,
file=/etc/security/access.conf
line 1: +  :  root : ALL
list_match: list= root , item=alloweduser
user_match: tok=root, item=alloweduser
string_match: tok=root, item=alloweduser
user_match=0, "alloweduser"
line 2: +  :  @UserDev@@SystemDev  :  ALL
list_match: list= @UserDev@@SystemDev , item=alloweduser
user_match: tok=@UserDev@@SystemDev, item=alloweduser
netgroup_match: 0 (netgroup=UserDev@@SystemDev, machine=NULL,
user=alloweduser, domain=)
user_match=0, "alloweduser"
line 3: -  :  ALL  :  ALL
list_match: list= ALL , item=alloweduser
user_match: tok=ALL, item=alloweduser
string_match: tok=ALL, item=alloweduser
user_match=2, "alloweduser"
list_match: list= ALL, item=alloweduser
from_match: tok=ALL, item=192.168.1.10
string_match: tok=ALL, item=192.168.1.10
from_match=2, "192.168.1.10"
access denied for user `alloweduser' from `192.168.1.10'

Notice the line: netgroup_match: 0 (netgroup=UserDev@@SystemDev,
machine=NULL, user=alloweduser, domain=)

It isn't correctly interpreting the netgroups as 2 separate groups, but one
group named : UserDev@@SystemDev which obviously fails.

Here is a valid session with the same config on a CentOS 5.5 system.

login_access: user=alloweduser, from=192.168.1.20,
file=/etc/security/access.conf
line 1: + : root : ALL
user_match: tok=root, item=alloweduser
string_match: tok=root, item=alloweduser
user_match=0, "alloweduser"
line 2: + : @UserDev@@SystemDev : ALL
user_match: tok=@UserDev@@SystemDev, item=alloweduser
user_match: tok=@UserDev, item=alloweduser
netgroup_match: 1 (group=UserDev, machine=NULL, user=alloweduser,
domain=NULL)
from_match: tok=@SystemDev, item=devsystem2
netgroup_match: 1 (group=SystemDev, machine=devsystem2, user=NULL,
domain=NULL)
user_match=1, "alloweduser"
from_match: tok=ALL, item=192.168.1.20
string_match: tok=ALL, item=192.168.1.20
from_match=2, "192.168.1.20"

Any help would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20120827/60b4f62f/attachment.htm>

More information about the Pam-list mailing list