There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called pam_listfile.so. Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.
The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.
Deny or allow access to groups using PAM
pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others
How do I setup pam_listfile PAM module for group based login?
Let us say you would like to allow login to only members of wheel (root user) and webdev groups.
Step # 1: Create /etc/login.group.allowed file
/etc/login.group.allowed filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/login.group.allowed
Add group names:
root
wheel
webdev
Save and close the file.
Step # 2: Allow group based login to all services
Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Where,
- auth required pam_listfile.so : Pam module name required for allowing group based login
- onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
- item=group : Check for group name
- sense=allow : The authorization request to succeed if group name found in /etc/login.group.allowed file
- file=/etc/login.group.allowed : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.
Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.
Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:
- User names
- Shell
- Tty names
- Rhost / Ruser (remote login host / user id)
The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).
=> Related PAM config FAQ : Linux PAM configuration that allows or deny user login via the sshd server
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 13 comments… read them below or add one }
wat a good idea sir ji ….Thanks ;-)
This doesn’t work. I followed both steps … but still all users can login successfully ! >.<
I second this, it does not work
running on RHEL5.6 x64
Doesn’t work, running CentOS 5.5
I need some users can do “su – ” to other users but not root how can i do that?
Hi,
Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config
the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache
Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml
thanks i’m gonna try
there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.
for example: user1 can do su to apache, but user1 cannot do su to root
Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.
I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.
Tutorial is great..
But there is one big problem..
You used requiered instead of requisite..
http://linux.die.net/man/5/pam.d
required
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
requisite
like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)
Thats the problem :)