≡ Menu

Linux allow / restrict system logins to specific user groups only using pam_listfile PAM module

There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called pam_listfile.so. Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.

The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.

Deny or allow access to groups using PAM

pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others

How do I setup pam_listfile PAM module for group based login?

Let us say you would like to allow login to only members of wheel (root user) and webdev groups.

Step # 1: Create /etc/login.group.allowed file

/etc/login.group.allowed filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/login.group.allowed
Add group names:
root
wheel
webdev

Save and close the file.

Step # 2: Allow group based login to all services

Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Where,

  • auth required pam_listfile.so : Pam module name required for allowing group based login
  • onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
  • item=group : Check for group name
  • sense=allow : The authorization request to succeed if group name found in /etc/login.group.allowed file
  • file=/etc/login.group.allowed : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.

Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.

Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:

  • User names
  • Shell
  • Tty names
  • Rhost / Ruser (remote login host / user id)

The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).

=> Related PAM config FAQ : Linux PAM configuration that allows or deny user login via the sshd server

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • ashwani June 10, 2009, 10:11 pm

    wat a good idea sir ji ….Thanks ;-)

  • yash August 11, 2010, 3:28 am

    This doesn’t work. I followed both steps … but still all users can login successfully ! >.<

  • scott rineer March 30, 2011, 4:24 pm

    I second this, it does not work
    running on RHEL5.6 x64

  • Denis April 12, 2011, 3:28 pm

    Doesn’t work, running CentOS 5.5

  • popfobia May 5, 2011, 12:07 pm

    I need some users can do “su – ” to other users but not root how can i do that?

    • Remy May 6, 2011, 12:42 am

      Hi,
      Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config

      • popfobia May 16, 2011, 7:47 pm

        the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache

  • Remy May 18, 2011, 8:04 pm

    Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml

  • popfobia May 18, 2011, 9:26 pm

    thanks i’m gonna try

  • popfobia May 18, 2011, 9:44 pm

    there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

    for example: user1 can do su to apache, but user1 cannot do su to root

  • heegemcgee May 3, 2012, 9:30 pm

    Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.

    • kris January 15, 2013, 8:27 pm

      I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.

  • Philipp May 28, 2012, 3:43 pm

    Tutorial is great..
    But there is one big problem..
    You used requiered instead of requisite..

    http://linux.die.net/man/5/pam.d

    required
    failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

    requisite
    like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

    Thats the problem :)

  • chase October 30, 2013, 8:29 pm

    Works great. Only users part of wheel group can login now.

    But now when those user try to use sudo, they get this error:

    sudo: pam_authenticate: Error in service module

    • nixCraft October 31, 2013, 7:52 am

      Check sudo log file or system log file in /var/log directory.

      • chase October 31, 2013, 3:42 pm

        Thank you. I had file=etc/…. instead or file=/etc/….

    • Prime December 4, 2013, 4:19 pm

      Can you please be more specific on how you got it to work?

      • Chase December 4, 2013, 5:48 pm

        In the /etc/pam.d/system-auth file, the correct line should read:
        auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

        I had:
        auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed

        (notice there is no ‘/’ in front of etc/login.group.allowed)