Pam_access and netgroups
Patrick Kile
patrick at socialcast.com
Mon Aug 27 21:46:02 UTC 2012
I'm trying to get restricted ssh login working and running into an issue
with pam_access.so and how it interprets netgroups.
Pam 1.1.3 on Ubuntu 12.04
Netgroup:
UserDev ( ,alloweduser, )
SystemDev (host.sub.domain.com,,)
Here is the /etc/security/access.conf file:
+ : root :ALL
+ : @UserDev@@SystemDev : ALL
Relevant /etc/pam.d/sshd config:
account required pam_access.so debug
And here is what happens when alloweduser logs in via ssh:
login_access: user=alloweduser, from=192.168.1.10,
file=/etc/security/access.conf
line 1: + : root : ALL
list_match: list= root , item=alloweduser
user_match: tok=root, item=alloweduser
string_match: tok=root, item=alloweduser
user_match=0, "alloweduser"
line 2: + : @UserDev@@SystemDev : ALL
list_match: list= @UserDev@@SystemDev , item=alloweduser
user_match: tok=@UserDev@@SystemDev, item=alloweduser
netgroup_match: 0 (netgroup=UserDev@@SystemDev, machine=NULL,
user=alloweduser, domain=)
user_match=0, "alloweduser"
line 3: - : ALL : ALL
list_match: list= ALL , item=alloweduser
user_match: tok=ALL, item=alloweduser
string_match: tok=ALL, item=alloweduser
user_match=2, "alloweduser"
list_match: list= ALL, item=alloweduser
from_match: tok=ALL, item=192.168.1.10
string_match: tok=ALL, item=192.168.1.10
from_match=2, "192.168.1.10"
access denied for user `alloweduser' from `192.168.1.10'
Notice the line: netgroup_match: 0 (netgroup=UserDev@@SystemDev,
machine=NULL, user=alloweduser, domain=)
It isn't correctly interpreting the netgroups as 2 separate groups, but one
group named : UserDev@@SystemDev which obviously fails.
Here is a valid session with the same config on a CentOS 5.5 system.
login_access: user=alloweduser, from=192.168.1.20,
file=/etc/security/access.conf
line 1: + : root : ALL
user_match: tok=root, item=alloweduser
string_match: tok=root, item=alloweduser
user_match=0, "alloweduser"
line 2: + : @UserDev@@SystemDev : ALL
user_match: tok=@UserDev@@SystemDev, item=alloweduser
user_match: tok=@UserDev, item=alloweduser
netgroup_match: 1 (group=UserDev, machine=NULL, user=alloweduser,
domain=NULL)
from_match: tok=@SystemDev, item=devsystem2
netgroup_match: 1 (group=SystemDev, machine=devsystem2, user=NULL,
domain=NULL)
user_match=1, "alloweduser"
from_match: tok=ALL, item=192.168.1.20
string_match: tok=ALL, item=192.168.1.20
from_match=2, "192.168.1.20"
Any help would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20120827/60b4f62f/attachment.htm>
More information about the Pam-list
mailing list