There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called pam_listfile.so. Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.
The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.
Deny or allow access to groups using PAM
pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others
How do I setup pam_listfile PAM module for group based login?
Let us say you would like to allow login to only members of wheel (root user) and webdev groups.
Step # 1: Create /etc/login.group.allowed file
/etc/login.group.allowed filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/login.group.allowed
Add group names:
root
wheel
webdev
Save and close the file.
Step # 2: Allow group based login to all services
Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Where,
- auth required pam_listfile.so : Pam module name required for allowing group based login
- onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
- item=group : Check for group name
- sense=allow : The authorization request to succeed if group name found in /etc/login.group.allowed file
- file=/etc/login.group.allowed : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.
Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.
Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:
- User names
- Shell
- Tty names
- Rhost / Ruser (remote login host / user id)
The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).
=> Related PAM config FAQ : Linux PAM configuration that allows or deny user login via the sshd server
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 20 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
So this works perfectly with one huge exception. The server I have this enabled on is running a cups server. I need to be able to login though a web browser using HTTPS in order to add printers with a user in the lpadmin group. I’ve added lpadmin to the /etc/login.group.allowed, but logins over HTTPS are being blocked.
I have no issue using the ssh and sudo with groups in the /etc/login.group.allowed file the issue seems specific to authentication with HTTPS.
Any pointers on how I can get HTTPS authentication working?
Thanks!
Scott
Is there a way to
I couldn’t resist commenting. Perfectly written!
Works great. Only users part of wheel group can login now.
But now when those user try to use sudo, they get this error:
sudo: pam_authenticate: Error in service module
Check sudo log file or system log file in /var/log directory.
Thank you. I had file=etc/…. instead or file=/etc/….
Can you please be more specific on how you got it to work?
In the /etc/pam.d/system-auth file, the correct line should read:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
I had:
auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed
(notice there is no ‘/’ in front of etc/login.group.allowed)
Tutorial is great..
But there is one big problem..
You used requiered instead of requisite..
http://linux.die.net/man/5/pam.d
required
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
requisite
like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)
Thats the problem 🙂
Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.
I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.
there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.
for example: user1 can do su to apache, but user1 cannot do su to root
thanks i’m gonna try
Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml
I need some users can do “su – ” to other users but not root how can i do that?
Hi,
Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config
the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache
Doesn’t work, running CentOS 5.5
I second this, it does not work
running on RHEL5.6 x64
This doesn’t work. I followed both steps … but still all users can login successfully ! >.<
wat a good idea sir ji ….Thanks 😉