Problems with SSH and pam_listfile
John Gorkos
John.Gorkos at sensus.com
Thu Mar 11 21:17:21 UTC 2010
On Thursday 11 March 2010 15:43:27 Dan Yefimov wrote:
> On 11.03.2010 22:48, John Gorkos wrote:
> > I am having good success using pam_listfile with my LDAP directory to
> > allow/disallow users in specific posixGroups access to servers using SSH.
> > My "auth" section of /etc/pam.d/system-auth on my RHEL 5.2 system looks
> > like this:
> >
> > auth required pam_listfile.so onerr=fail item=group
> > sense=allow file=/etc/login.group.allowed
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth sufficient pam_ldap.so use_first_pass
> > auth requisite pam_succeed_if.so uid>= 500 quiet
> > auth required pam_deny.so
> >
> > If a user's UID is in a memberUID field of an objectClass=posixGroup in
> > LDAP (ou=Groups,o=XXXX), he can log in via SSH. If he's not in one of
> > the groups enumerated in /etc/login.group.allowed, he's denied... UNLESS
> > he has a public key in his ~/.ssh/authorized_keys file. If that is the
> > case, he's allowed to log in with no problems, even if he's not in an
> > allowed group.
> > Sudo (which is also controlled by LDAP) works correctly, i.e. if a user
> > is not in an allowed group, but logs into the system anyway due to an
> > authorized_keys entry, he will not be allowed to sudo execute anything.
> >
> > The problem is that I have users with keys in place already. We have
> > automated processes that use these keys, so I can't be draconian and
> > disallow key usage. On the other hand, I have a fairly fluid set of
> > people moving into and out of groups, so I need to be able to control
> > access to these machines regardless of whether there is a key in
> > authorized_keys.
> >
> > Has anyone seen this before, or is there a way that I can re-order my pam
> > config to force SSH to respect the group membership requirements?
>
> I'd suggest you checking users being allowed/denied in the account stack,
> instead of the auth one.
Superb. That did the trick. I appreciate the help. The account stack now
looks like this:
account required pam_unix.so
account required pam_listfile.so onerr=fail item=group sense=allow
file=/etc/login.group.allowed
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_ldap.so
account required pam_permit.so
John Gorkos
More information about the Pam-list
mailing list