From SpectLog
Jump to: navigation, search

User-based and host-based access control for login services can be configured through PAM using pam_access.so module. Offline man-pages contain detailed documentation for the module:

shell> apropos pam_access
pam_access           (8)  - PAM module for logdaemon style login access control

Access rules are configured in /etc/security/access.conf file with format description in another man-page:

shell> apropos access.conf
access.conf [access] (5)  - the login access control table file
...

Access rules distinguish login either through terminal line (non-networked logins) or network (hosts, nets, domains, etc.).

Example 1: restricting access for network login

  • Enabling PAM for sshd service in /etc/ssh/sshd_config file:
UsePAM yes
  • Configuring PAM to use pam_access.so module for sshd service. Insert the following line in the beginning of /etc/pam.d/sshd the file:
auth required pam_access.so
  • Adding access rule which restricts (-) access for testuser from localhost. Append the following line to the end of /etc/security/access.conf file:
- : testuser : 127.0.0.0/24
  • Testing local connection:
shell> ssh testuser@localhost
testuser@localhost's password: 
Permission denied, please try again.
testuser@localhost's password: 
  • Verifying in /var/log/secure file:
shell> tail -f /var/log/secure
Dec 13 10:17:59 testhost sshd[13003]: pam_access(sshd:auth): access denied for user `testuser' from `localhost'
Dec 13 10:18:01 testhost sshd[13003]: Failed password for testuser from ::1 port 37115 ssh2
Dec 13 10:18:01 testhost sshd[13004]: Connection closed by ::1

Example 2: restricting access for users on virtual console

Similarly, non-network logins can be restricted.

  • In this case, PAM common configuration included by all login services. Add the same line in the beginning of /etc/pam.d/system-auth file:
auth required pam_access.so
  • Adding access rule which restricts (-) access for ALL users from tty2. Append the following line to the end of /etc/security/access.conf file:
- : ALL : 127.0.0.0/24
  • Testing login through tty2 (switch to the 2nd virtual console ALT+F2):
testhost login: testuser
Password:

Login incorrect
  • Verifying in /var/log/secure file:
shell> tail -f /var/log/secure
Dec 13 02:07:15 testhost login: pam_access(login:auth): access denied for user `testuser' from `tty2'
Dec 13 02:07:18 testhost login: pam_ldap: ldap_starttls_s: Protocol error
Dec 13 02:07:19 testhost login: FAILED LOGIN SESSION FROM (null) FOR lucia, Permission denied