About nixCraft

• Daily Linux tips, hacks, news, ideas and much more »
• 
  
• 

Topics

• Howto
• Linux
• Linux login control
• Networking
• OpenBSD
• RedHat/Fedora Linux
• Security
• Suse Linux
• Sys admin
• UNIX
• See all topics...

Linux PAM configuration that allows or deny login via the sshd server

The idea is very simple you want to limit who can use sshd based on a list of users. The text file contains a list of users that may not log in (or allowed to log in) using the SSH server. This is used for improving security.

PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.

A note for new sys admins

1. Backup all data and PAM configuration files before any modification
2. Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
3. Read this Linux-PAM configuration file syntax guide
4. Now continue reading below for pam_listfile.so configration...

Use of pam_listfile.so module

This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

How do I configure pam_listfile.so module to deny access?

You want to block a user, if user-name exists in a file /etc/sshd/sshd.deny file.

Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed

Save and close the file

Now add all usernames to /etc/sshd/sshd.deny file. Now a user is denied to login via sshd if they are listed in this file:
# vi /etc/sshd/sshd.deny

Append username per line:
user1
user2
...

Restart sshd service:
# /etc/init.d/sshd restart

Understanding the config directives:

• auth required pam_listfile.so : Name of module required while authenticating users.
• item=user : Check the username
• sense=deny : Deny user if existing in specified file
• file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
• onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.

How do I configure pam_listfile.so module to allow access?

You want to ALLOW a user to use ssh, if user-name exists in a file /etc/sshd/sshd.allow file.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

Save and close the file.

Now add all usernames to /etc/sshd/sshd.allow file. Now a user is allowed to login via sshd if they are listed in this file.
# vi /etc/sshd/sshd.allow

Append username per line:
tony
om
rocky

Restart sshd service (optional):
# /etc/init.d/sshd restart

Now if paul try to login using ssh he will get an error:
Permission denied (publickey,keyboard-interactive).

Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
tail -f /var/log/auth.log

Output:

Jul 30 23:07:40 p5www2 sshd[12611]: PAM-listfile: Refused user paul for service ssh
Jul 30 23:07:42 p5www2 sshd[12606]: error: PAM: Authentication failure for paul from 125.12.xx.xx

Understanding the config directives:

• auth required pam_listfile.so : Name of module required while authenticating users.
• item=user : Check or specify the username
• sense=allow : Allow user if existing in specified file
• file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
• onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.

Further reading:

1. Linux PAM guide for the system administrators'
2. Sun Solaris PAM site has excellent information for both sys admins and developers
3. Download the three Linux-PAM Guides, for system administrators, module developers, and application developers.

E-mail this to a friend      Printable version

• How to force sshd server to display login banner before login (change the ssh server login banner)
• OpenSSH deny or restrict access to users and groups
• Force OpenSSH (sshd) to listen on selected multiple IP address only
• OpenSSH Tip: Check Syntax Errors before Restarting Server
• OpenSSH Root user account restriction - revisited

Discussion on This Article:

1. nick Says: June 5th, 2007 at 4:34 pm

   This works great on local users it seems, but its not having any effect on ldap users, or groups, what would you suggest as a way to control their access?

2. vivek Says: June 5th, 2007 at 6:04 pm

   It should work, you need to play with pam modules. Pam is designed for this kind of work only.

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

Tags: access_control, pam_configuration, pam_listfile.so_module, pam_module, pluggable authentication modules, secure_system, ssh server, user_login

Search

Advertisements

more ~/options

• About us
• Testimonials
• Contact us

Archives

• Select Month October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004

nixCraft RSS Feeds

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.