20 comment

  1. there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

    for example: user1 can do su to apache, but user1 cannot do su to root

  2. Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.

    1. I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.

  3. Tutorial is great..
    But there is one big problem..
    You used requiered instead of requisite..


    failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

    like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

    Thats the problem 🙂

      1. In the /etc/pam.d/system-auth file, the correct line should read:
        auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

        I had:
        auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed

        (notice there is no ‘/’ in front of etc/login.group.allowed)

  4. So this works perfectly with one huge exception. The server I have this enabled on is running a cups server. I need to be able to login though a web browser using HTTPS in order to add printers with a user in the lpadmin group. I’ve added lpadmin to the /etc/login.group.allowed, but logins over HTTPS are being blocked.

    I have no issue using the ssh and sudo with groups in the /etc/login.group.allowed file the issue seems specific to authentication with HTTPS.

    Any pointers on how I can get HTTPS authentication working?


    Is there a way to

Leave a Comment