Limiting login via access.conf not working

debian-wheezypam

I'm running Debian Wheezy and having a rough time getting /etc/security/access.conf changes to apply. Tangentially, I believe there could be an issue with PAM in general as I have been unable to get changes in limits.conf to stick.

My systems are setup to authenticate against an LDAP server. I want to limit the users that can log in to a couple of local users and members of a couple LDAP groups.

I've added the following to /etc/pam.d/sshd and /etc/pam.d/login:

account  required     pam_access.so

My access.conf looks like this:

+ : local_user1 local_user2 ldap_group1 ldap_group2 : ALL
- : ALL : ALL

I know this can be accomplished via sshd_config, but it's become a matter of principle at this point. As I mentioned above, I'm wondering if there isn't something going on with PAM.

Best Answer

UsePAM in /etc/ssh/sshd_config is required for sshd to pay attention to PAM settings.

Related Solutions

Ldap – Is anyone using access.conf and netgroup authentication with sssd

I have Red Hat 6 authenticating against AD using Netgroups successfully. I am trying to get it authenticating against an old Sun LDAP server and am not having luck. I can see the netgroups, I can see the user with "getent netgroup {name of netgroup} and I can su to the user. However when I attempt to login it does not work.

What I can tell you from my AD authentication is taht your netgroup statement is the opposite of what you want. When you begin with a - it means DO NOT allow them to login. Try switching that to a + meaning DO allow the users in this netgroup to login.

Also use the getent command to check to see if you can see your users and netgroup proprely. getent passwd {username} getent netgroup {name of netgroup}

Remember getent also looks at your local files (as defined in nsswitch.conf) for this information so be sure the information is only available via LDAP.

Hope this helps,

Dan

Linux – Check if account is allowed when using pam_access

I recently had to perform a PCI audit of a very similar nature (who can log in to these systems and what are their permissions), so have a good feel for what you're trying to accomplish here. The methodology varies from environment to environment depending on how PAM and LDAP are configured.

The following factors seem to apply to your environment:

The enumerated passwd database (getent passwd) contains users who should never be allowed to access the system.
shadow restrictions must be considered. Sometimes, anyway. You have broken_shadow enabled.
PAM restrictions must be considered. (including pam_access restrictions, which greatly decreases the likeliness of finding an all-in-one tool that will do this without actually performing a call against pam_acct_mgmt)
KRB5 restrictions must be considered, for users who have accounts.

I would rate the complexity of this assignment as "high and time consuming" without a utility that tests PAM stacks. pamtester looks like it will do the job. You'll need to loop through every user in getent passwd and perform a post-authentication accounting check:

pamtester sshd $user acct_mgmt

This assumes that you only need to test access via ssh. If you need to test more than that, do so. Review /etc/pam.d for the services that you have configured and audit whatever is necessary.

(I apologize for the initial answer, my last effort was more focused on sudo audits than PAM audits and I was in too much of a "do everything by hand" mindset.)

Best Answer

Related Solutions

Ldap – Is anyone using access.conf and netgroup authentication with sssd

Linux – Check if account is allowed when using pam_access

Related Topic