20 comment

  1. I need some users can do “su – ” to other users but not root how can i do that?

    1. Hi,
      Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config

      1. the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache

  2. there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

    for example: user1 can do su to apache, but user1 cannot do su to root

  3. Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.

    1. I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.

  4. Tutorial is great..
    But there is one big problem..
    You used requiered instead of requisite..


    failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

    like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

    Thats the problem 🙂

  5. Works great. Only users part of wheel group can login now.

    But now when those user try to use sudo, they get this error:

    sudo: pam_authenticate: Error in service module

      1. In the /etc/pam.d/system-auth file, the correct line should read:
        auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

        I had:
        auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed

        (notice there is no ‘/’ in front of etc/login.group.allowed)

  6. So this works perfectly with one huge exception. The server I have this enabled on is running a cups server. I need to be able to login though a web browser using HTTPS in order to add printers with a user in the lpadmin group. I’ve added lpadmin to the /etc/login.group.allowed, but logins over HTTPS are being blocked.

    I have no issue using the ssh and sudo with groups in the /etc/login.group.allowed file the issue seems specific to authentication with HTTPS.

    Any pointers on how I can get HTTPS authentication working?


    Is there a way to

    Have a question? Post it on our forum!