The idea is very simple you want to limit who can use sshd based on a list of users. The text file contains a list of users that may not log in (or allowed to log in) using the SSH server. This is used for improving security.
PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.
A note for new sys admins
- Backup all data and PAM configuration files before any modification :)
- Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
- Read this Linux-PAM configuration file syntax guide
- Now continue reading below for pam_listfile.so configration...
Use of pam_listfile.so module
This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.
How do I configure pam_listfile.so module to deny access?
You want to block a user, if user-name exists in a file /etc/sshd/sshd.deny file.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh
Append following line:
auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed
Save and close the file
Now add all usernames to /etc/sshd/sshd.deny file. Now a user is denied to login via sshd if they are listed in this file:
# vi /etc/sshd/sshd.deny
Append username per line:
user1
user2
...
Restart sshd service:
# /etc/init.d/sshd restart
Understanding the config directives:
- auth required pam_listfile.so : Name of module required while authenticating users.
- item=user : Check the username
- sense=deny : Deny user if existing in specified file
- file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
- onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.
How do I configure pam_listfile.so module to allow access?
You want to ALLOW a user to use ssh, if user-name exists in a file /etc/sshd/sshd.allow file.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh
Append following line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail
Save and close the file.
Now add all usernames to /etc/sshd/sshd.allow file. Now a user is allowed to login via sshd if they are listed in this file.
# vi /etc/sshd/sshd.allow
Append username per line:
tony
om
rocky
Restart sshd service (optional):
# /etc/init.d/sshd restart
Now if paul try to login using ssh he will get an error:
Permission denied (publickey,keyboard-interactive).
Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
tail -f /var/log/auth.log
Output:
Jul 30 23:07:40 p5www2 sshd[12611]: PAM-listfile: Refused user paul for service ssh Jul 30 23:07:42 p5www2 sshd[12606]: error: PAM: Authentication failure for paul from 125.12.xx.xx
Understanding the config directives:
- auth required pam_listfile.so : Name of module required while authenticating users.
- item=user : Check or specify the username
- sense=allow : Allow user if existing in specified file
- file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
- onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.
Further reading:
- Linux PAM guide for the system administrators'
- Sun Solaris PAM site has excellent information for both sys admins and developers
- Download the three Linux-PAM Guides, for system administrators, module developers, and application developers.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- My 10 UNIX Command Line Mistakes
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
Facebook it - Tweet it - Print it -
We're here to help you make the most of sysadmin work. So, subscribe!
{ 11 comments… read them below or add one }
This works great on local users it seems, but its not having any effect on ldap users, or groups, what would you suggest as a way to control their access?
It should work, you need to play with pam modules. Pam is designed for this kind of work only.
Hi,
If you want block all ssh access (via login/password) AND vi authorized_keys, you shoud use ‘account required pam_listfile.so item=user sense=allow file=/etc/ssh/sshd.allow onerr=succeed’
because ‘auth xxx’ line seems not checked if sshd use public keys authentification.
Bst Regard
GeraldH
It is working fine for ssh and scp.
Now I wants to block only the ssh login session. and I required the scp file transfer
anybody have an Idea
Article solved my problem!
In my experience, the line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail
must be prepended (i.e., placed as the first line) in the file, not appended as this article states.
my config:
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshd/user-sshd onerr=fail
user in user-sshd:
root
user1
user2
……
now root can’t remote the vps :(
if i login as root using putty, the console window (putty) closed immedietly when root loged to vps :(
how to solve my problem??? plis help me
boot from a rescue cd and edit the files.
As stated above it is key to prepend the line to allow it to be executed by pam. There is also no need at all to restart sshd.
hi,
it doesn’t work for my system. why?
It’s not working on openldap authentication with white list on /etc/ssh/ssh.allow.
Dec 14 18:47:11 PDCSERVER slapd[21346]: conn=64795871 op=1 SRCH base=”ou=Users,dc=kama,dc=in” scope=1 deref=0 filter=”(&(objectClass=shadowAccount)(uid=rana.taba))”
Dec 14 18:47:11 showa9 sshd[22655]: error: PAM: Authentication failure for rana.taba from 192.168.100.200