I'm using pam_access and /etc/security/access.conf to restrict who can login to my Rhel 6.5 hosts.
I have an LDAP server with a diverse user base, and the security people would like a list of who can login to what.
I need a sciptable way to check if an account will be able to login to the host. getent passwd, id, finger, groups and every other tool I've tried return the same output if an account is restricted from logging in or not. passwd -S doesn't seem to work with LDAP accounts at all.
Is there a way to check if a given account has login permissions? On Solaris if the user or netgroup isn't in /etc/passwd none of the tools can identify a restricted account, but it seems to be completely the opposite on Linux.
Thanks!
Edit:
This is the account section of /etc/pam.d/system-auth:
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
My puppet config only does the following that could change the pam setup.
/usr/sbin/authconfig --enablemkhomedir --updateall
/usr/sbin/authconfig --enablekrb5 --updateall
/usr/sbin/authconfig --enablepamaccess --updateall
/usr/sbin/authconfig --enablesssd --updateall
/usr/sbin/authconfig --nisdomain=domainname.corp --updateall
my /etc/security/access.conf
+ : root : ALL
.... all system accounts
+ : @ngunix_admins : ALL
- : ALL : ALL
My netgroup
getent netgroup ngunix_admins
ngunix_admins ( ,danw,domainname.corp)
I'm in the ngunix_admins netgroup so this makes sense
% id danw
uid=355400001(danw) gid=355400001(danw) groups=355400001(danw)
% getent passwd danw
danw:*:355400001:355400001:unixadmin:/home/danw:/bin/bash
But this other user is not in the ngunix_admins netgroup so I need some way to identify that he cannot log in
id testuser
uid=355400003(testuser) gid=355400003(testuser) groups=355400003(testuser)
getent passwd testuser
testuser:*:355400003:355400003:first last:/home/testuser:/bin/bash
2nd Edit: Clarify that I'm not tuning login permissions, but trying to report on access for auditing.
Best Answer
I recently had to perform a PCI audit of a very similar nature (who can log in to these systems and what are their permissions), so have a good feel for what you're trying to accomplish here. The methodology varies from environment to environment depending on how PAM and LDAP are configured.
The following factors seem to apply to your environment:
passwd
database (getent passwd
) contains users who should never be allowed to access the system.shadow
restrictions must be considered. Sometimes, anyway. You havebroken_shadow
enabled.pam_access
restrictions, which greatly decreases the likeliness of finding an all-in-one tool that will do this without actually performing a call againstpam_acct_mgmt
)I would rate the complexity of this assignment as "high and time consuming" without a utility that tests PAM stacks.
pamtester
looks like it will do the job. You'll need to loop through every user ingetent passwd
and perform a post-authentication accounting check:This assumes that you only need to test access via
ssh
. If you need to test more than that, do so. Review/etc/pam.d
for the services that you have configured and audit whatever is necessary.(I apologize for the initial answer, my last effort was more focused on sudo audits than PAM audits and I was in too much of a "do everything by hand" mindset.)