Problems with SSH and pam_listfile

John Gorkos John.Gorkos at sensus.com
Thu Mar 11 21:17:21 UTC 2010 

On Thursday 11 March 2010 15:43:27 Dan Yefimov wrote:
> On 11.03.2010 22:48, John Gorkos wrote:
> > I am having good success using pam_listfile with my LDAP directory to
> > allow/disallow users in specific posixGroups access to servers using SSH.
> >  My "auth" section of /etc/pam.d/system-auth on my RHEL 5.2 system looks
> > like this:
> > 
> > auth        required      pam_listfile.so onerr=fail item=group
> > sense=allow file=/etc/login.group.allowed
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        sufficient    pam_ldap.so use_first_pass
> > auth        requisite     pam_succeed_if.so uid>= 500 quiet
> > auth        required      pam_deny.so
> > 
> > If a user's UID is in a memberUID field of an objectClass=posixGroup in
> > LDAP (ou=Groups,o=XXXX), he can log in via SSH.  If he's not in one of
> > the groups enumerated in /etc/login.group.allowed, he's denied... UNLESS
> > he has a public key in his ~/.ssh/authorized_keys file.  If that is the
> > case, he's allowed to log in with no problems, even if he's not in an
> > allowed group.
> > Sudo (which is also controlled by LDAP) works correctly, i.e. if a user
> > is not in an allowed group, but logs into the system anyway due to an
> > authorized_keys entry, he will not be allowed to sudo execute anything.
> > 
> > The problem is that I have users with keys in place already.  We have
> > automated processes that use these keys, so I can't be draconian and
> > disallow key usage.  On the other hand, I have a fairly fluid set of
> > people moving into and out of groups, so I need to be able to control
> > access to these machines regardless of whether there is a key in
> > authorized_keys.
> > 
> > Has anyone seen this before, or is there a way that I can re-order my pam
> > config to force SSH to respect the group membership requirements?
> 
> I'd suggest you checking users being allowed/denied in the account stack,
> instead of the auth one.

Superb.  That did the trick.  I appreciate the help.  The account stack now 
looks like this:
account     required      pam_unix.so
account     required      pam_listfile.so onerr=fail item=group sense=allow 
file=/etc/login.group.allowed
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     sufficient    pam_ldap.so
account     required      pam_permit.so


John Gorkos

More information about the Pam-list mailing list