OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Problems with SSH and pam_listfile

From: Dan Yefimov (danlightwave.net.ru)
Date: Thu Mar 11 2010 - 14:43:27 CST


On 11.03.2010 22:48, John Gorkos wrote:
> I am having good success using pam_listfile with my LDAP directory to
> allow/disallow users in specific posixGroups access to servers using SSH. My
> "auth" section of /etc/pam.d/system-auth on my RHEL 5.2 system looks like
> this:
>
> auth required pam_listfile.so onerr=fail item=group sense=allow
> file=/etc/login.group.allowed
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth sufficient pam_ldap.so use_first_pass
> auth requisite pam_succeed_if.so uid>= 500 quiet
> auth required pam_deny.so
>
> If a user's UID is in a memberUID field of an objectClass=posixGroup in LDAP
> (ou=Groups,o=XXXX), he can log in via SSH. If he's not in one of the groups
> enumerated in /etc/login.group.allowed, he's denied... UNLESS he has a public
> key in his ~/.ssh/authorized_keys file. If that is the case, he's allowed to
> log in with no problems, even if he's not in an allowed group.
> Sudo (which is also controlled by LDAP) works correctly, i.e. if a user is not
> in an allowed group, but logs into the system anyway due to an authorized_keys
> entry, he will not be allowed to sudo execute anything.
>
> The problem is that I have users with keys in place already. We have
> automated processes that use these keys, so I can't be draconian and disallow
> key usage. On the other hand, I have a fairly fluid set of people moving into
> and out of groups, so I need to be able to control access to these machines
> regardless of whether there is a key in authorized_keys.
>
> Has anyone seen this before, or is there a way that I can re-order my pam
> config to force SSH to respect the group membership requirements?
>
I'd suggest you checking users being allowed/denied in the account stack,
instead of the auth one.
--

Sincerely Yours, Dan.

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list