On 11.03.2010 22:48, John Gorkos wrote:
I am having good success using pam_listfile with my LDAP directory to
allow/disallow users in specific posixGroups access to servers using SSH. My
"auth" section of /etc/pam.d/system-auth on my RHEL 5.2 system looks like
this:
auth required pam_listfile.so onerr=fail item=group sense=allow
file=/etc/login.group.allowed
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid>= 500 quiet
auth required pam_deny.so
If a user's UID is in a memberUID field of an objectClass=posixGroup in LDAP
(ou=Groups,o=XXXX), he can log in via SSH. If he's not in one of the groups
enumerated in /etc/login.group.allowed, he's denied... UNLESS he has a public
key in his ~/.ssh/authorized_keys file. If that is the case, he's allowed to
log in with no problems, even if he's not in an allowed group.
Sudo (which is also controlled by LDAP) works correctly, i.e. if a user is not
in an allowed group, but logs into the system anyway due to an authorized_keys
entry, he will not be allowed to sudo execute anything.
The problem is that I have users with keys in place already. We have
automated processes that use these keys, so I can't be draconian and disallow
key usage. On the other hand, I have a fairly fluid set of people moving into
and out of groups, so I need to be able to control access to these machines
regardless of whether there is a key in authorized_keys.
Has anyone seen this before, or is there a way that I can re-order my pam
config to force SSH to respect the group membership requirements?
I'd suggest you checking users being allowed/denied in the account stack,
instead of the auth one.
--
Sincerely Yours, Dan.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
