{ 18 comments… read them below or add one }

1 ashwani June 10, 2009 at 10:11 pm

wat a good idea sir ji ….Thanks ;-)


2 yash August 11, 2010 at 3:28 am

This doesn’t work. I followed both steps … but still all users can login successfully ! >.<


3 scott rineer March 30, 2011 at 4:24 pm

I second this, it does not work
running on RHEL5.6 x64


4 Denis April 12, 2011 at 3:28 pm

Doesn’t work, running CentOS 5.5


5 popfobia May 5, 2011 at 12:07 pm

I need some users can do “su – ” to other users but not root how can i do that?


6 Remy May 6, 2011 at 12:42 am

Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config


7 popfobia May 16, 2011 at 7:47 pm

the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache


8 Remy May 18, 2011 at 8:04 pm

Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml


9 popfobia May 18, 2011 at 9:26 pm

thanks i’m gonna try


10 popfobia May 18, 2011 at 9:44 pm

there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

for example: user1 can do su to apache, but user1 cannot do su to root


11 heegemcgee May 3, 2012 at 9:30 pm

Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.


12 kris January 15, 2013 at 8:27 pm

I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.


13 Philipp May 28, 2012 at 3:43 pm

Tutorial is great..
But there is one big problem..
You used requiered instead of requisite..


failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

Thats the problem :)


14 chase October 30, 2013 at 8:29 pm

Works great. Only users part of wheel group can login now.

But now when those user try to use sudo, they get this error:

sudo: pam_authenticate: Error in service module


15 nixCraft October 31, 2013 at 7:52 am

Check sudo log file or system log file in /var/log directory.


16 chase October 31, 2013 at 3:42 pm

Thank you. I had file=etc/…. instead or file=/etc/….


17 Prime December 4, 2013 at 4:19 pm

Can you please be more specific on how you got it to work?


18 Chase December 4, 2013 at 5:48 pm

In the /etc/pam.d/system-auth file, the correct line should read:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

I had:
auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed

(notice there is no ‘/’ in front of etc/login.group.allowed)


Leave a Comment

Tagged as: , , , ,

Previous post:

Next post: