Linux allow / restrict system logins to specific user groups only using pam_listfile PAM module

last updated September 13, 2007 in CentOS, Debian Linux, Gentoo Linux, Howto, Linux, Linux distribution, Linux login control, RedHat/Fedora Linux, Security, Sys admin, Tips, Ubuntu Linux

There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called pam_listfile.so. Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.

The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.

Deny or allow access to groups using PAM

pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others

How do I setup pam_listfile PAM module for group based login?

Let us say you would like to allow login to only members of wheel (root user) and webdev groups.

Step # 1: Create /etc/login.group.allowed file

/etc/login.group.allowed filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/login.group.allowed
Add group names:
root wheel webdev
Save and close the file.

Step # 2: Allow group based login to all services

Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Where,

auth required pam_listfile.so : Pam module name required for allowing group based login
onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
item=group : Check for group name
sense=allow : The authorization request to succeed if group name found in /etc/login.group.allowed file
file=/etc/login.group.allowed : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.

Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.

Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:

User names
Shell
Tty names
Rhost / Ruser (remote login host / user id)

The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

20 comment

ashwani says:
June 10, 2009 at 10:11 pm
wat a good idea sir ji ….Thanks 😉
yash says:
August 11, 2010 at 3:28 am
This doesn’t work. I followed both steps … but still all users can login successfully ! >.<
scott rineer says:
March 30, 2011 at 4:24 pm
I second this, it does not work
running on RHEL5.6 x64
Denis says:
April 12, 2011 at 3:28 pm
Doesn’t work, running CentOS 5.5
popfobia says:
May 5, 2011 at 12:07 pm
I need some users can do “su – ” to other users but not root how can i do that?
1. Remy says:
  May 6, 2011 at 12:42 am
  Hi,
  Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config
  1. popfobia says:
    May 16, 2011 at 7:47 pm
    the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache
Remy says:
May 18, 2011 at 8:04 pm
Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml
popfobia says:
May 18, 2011 at 9:26 pm
thanks i’m gonna try
popfobia says:
May 18, 2011 at 9:44 pm
there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.
for example: user1 can do su to apache, but user1 cannot do su to root
heegemcgee says:
May 3, 2012 at 9:30 pm
Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.
1. kris says:
  January 15, 2013 at 8:27 pm
  I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.
Philipp says:
May 28, 2012 at 3:43 pm
Tutorial is great..
But there is one big problem..
You used requiered instead of requisite..
http://linux.die.net/man/5/pam.d
required
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
requisite
like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)
Thats the problem 🙂
chase says:
October 30, 2013 at 8:29 pm
Works great. Only users part of wheel group can login now.
But now when those user try to use sudo, they get this error:
sudo: pam_authenticate: Error in service module
1. nixCraft says:
  October 31, 2013 at 7:52 am
  Check sudo log file or system log file in /var/log directory.
  1. chase says:
    October 31, 2013 at 3:42 pm
    Thank you. I had file=etc/…. instead or file=/etc/….
2. Prime says:
  December 4, 2013 at 4:19 pm
  Can you please be more specific on how you got it to work?
  1. Chase says:
    December 4, 2013 at 5:48 pm
    In the /etc/pam.d/system-auth file, the correct line should read:
    auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
    I had:
    auth required pam_listfile.so onerr=fail item=group sense=allow file=etc/login.group.allowed
    (notice there is no ‘/’ in front of etc/login.group.allowed)
Barrett Clow says:
September 12, 2015 at 6:05 am
I couldn’t resist commenting. Perfectly written!
Scott Sisco says:
March 8, 2016 at 12:19 am
So this works perfectly with one huge exception. The server I have this enabled on is running a cups server. I need to be able to login though a web browser using HTTPS in order to add printers with a user in the lpadmin group. I’ve added lpadmin to the /etc/login.group.allowed, but logins over HTTPS are being blocked.
I have no issue using the ssh and sudo with groups in the /etc/login.group.allowed file the issue seems specific to authentication with HTTPS.
Any pointers on how I can get HTTPS authentication working?
Thanks!
Scott
Is there a way to

Have a question? Post it on our forum!

Tagged as: access control, pam configuration, pam module, secure system, user groups login