≡ Menu

pluggable authentication modules

Vsftpd supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh or smtp.
[click to continue…]

It happens all the time. Sooner or later, every organization may run out of qualified UNIX system administrator / staff because of various issues. As a single admin you may have to do lots of work because other people in accouting, sales, or programmers may not have all the skills required to run servers. Also, I don't trust new people or people with Windows background. I also don't have a time for UNIX admin training for new person.

In short, to avoid overloading yourself, I recommend sudo. It allows you to delegate authority to give certain users or groups of users the ability to run some commands as root or another user while providing an audit trail of the commands and their arguments via a log file. With sudo you don't have to share root password with anybody. Another option is Pluggable Authentication Modules (PAM) under UNIX / Linux. Command tasks such can be delegated via sudo program:

  1. Start / stop / restart common services and configurations, e.g. Jboss, Tomcat, Apache, Mysql etc
  2. Shutdown / reboot server
  3. Backup data to tape
  4. Run other individuate tasks and commands as per requirements and so on.

Once you started to trust their skills sets, grant them more privileges or may be promote them as full time UNIX sys admins.

In totally unrelated news : Bill Gates, retired as chairman. Checkout the hits and misses of his leadership of Microsoft.

Open SSH Logo

The idea is very simple you want to limit who can use sshd based on a list of users. The text file contains a list of users that may not log in (or allowed to log in) using the SSH server. This is used for improving security.

PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.

A note for new sys admins

  1. Backup all data and PAM configuration files before any modification :)
  2. Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
  3. Read this Linux-PAM configuration file syntax guide
  4. Now continue reading below for pam_listfile.so configration...

Use of pam_listfile.so module

This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

How do I configure pam_listfile.so module to deny access?

You want to block a user, if user-name exists in a file /etc/sshd/sshd.deny file.

Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed

Save and close the file

Now add all usernames to /etc/sshd/sshd.deny file. Now a user is denied to login via sshd if they are listed in this file:
# vi /etc/sshd/sshd.deny

Append username per line:
user1
user2
...

Restart sshd service:
# /etc/init.d/sshd restart

Understanding the config directives:

  • auth required pam_listfile.so : Name of module required while authenticating users.
  • item=user : Check the username
  • sense=deny : Deny user if existing in specified file
  • file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
  • onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.

How do I configure pam_listfile.so module to allow access?

You want to ALLOW a user to use ssh, if user-name exists in a file /etc/sshd/sshd.allow file.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

Save and close the file.

Now add all usernames to /etc/sshd/sshd.allow file. Now a user is allowed to login via sshd if they are listed in this file.
# vi /etc/sshd/sshd.allow

Append username per line:
tony
om
rocky

Restart sshd service (optional):
# /etc/init.d/sshd restart

Now if paul try to login using ssh he will get an error:
Permission denied (publickey,keyboard-interactive).

Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
tail -f /var/log/auth.log

Output:

Jul 30 23:07:40 p5www2 sshd[12611]: PAM-listfile: Refused user paul for service ssh
Jul 30 23:07:42 p5www2 sshd[12606]: error: PAM: Authentication failure for paul from 125.12.xx.xx

Understanding the config directives:

  • auth required pam_listfile.so : Name of module required while authenticating users.
  • item=user : Check or specify the username
  • sense=allow : Allow user if existing in specified file
  • file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
  • onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.

Further reading:

  1. Linux PAM guide for the system administrators'
  2. Sun Solaris PAM site has excellent information for both sys admins and developers
  3. Download the three Linux-PAM Guides, for system administrators, module developers, and application developers.