20 comment

1. wat a good idea sir ji ….Thanks 😉

2. This doesn’t work. I followed both steps … but still all users can login successfully ! >.<

3. I second this, it does not work
   running on RHEL5.6 x64

4. Doesn’t work, running CentOS 5.5

5. I need some users can do “su – ” to other users but not root how can i do that?

   1. Hi,
      Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config

      1. the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache

6. Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml

7. thanks i’m gonna try

8. there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

   for example: user1 can do su to apache, but user1 cannot do su to root

9. Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.

   1. I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.

10. Tutorial is great..
    But there is one big problem..
    You used requiered instead of requisite..

    http://linux.die.net/man/5/pam.d

    required
    failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

    requisite
    like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

    Thats the problem 🙂

11. Works great. Only users part of wheel group can login now.

    But now when those user try to use sudo, they get this error:

    sudo: pam_authenticate: Error in service module

    1. Check sudo log file or system log file in /var/log directory.

       1. Thank you. I had file=etc/…. instead or file=/etc/….

    2. Can you please be more specific on how you got it to work?

       1. In the /etc/pam.d/system-auth file, the correct line should read:
          auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

          I had:
          auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed

          (notice there is no ‘/’ in front of etc/login.group.allowed)

12. I couldn’t resist commenting. Perfectly written!

13. So this works perfectly with one huge exception. The server I have this enabled on is running a cups server. I need to be able to login though a web browser using HTTPS in order to add printers with a user in the lpadmin group. I’ve added lpadmin to the /etc/login.group.allowed, but logins over HTTPS are being blocked.

    I have no issue using the ssh and sudo with groups in the /etc/login.group.allowed file the issue seems specific to authentication with HTTPS.

    Any pointers on how I can get HTTPS authentication working?

    Thanks!
    Scott

    Is there a way to

    Have a question? Post it on our forum!