On Thursday 11 March 2010 15:43:27 Dan Yefimov wrote: > On 11.03.2010 22:48, John Gorkos wrote: > > I am having good success using pam_listfile with my LDAP directory to > > allow/disallow users in specific posixGroups access to servers using SSH. > > My "auth" section of /etc/pam.d/system-auth on my RHEL 5.2 system looks > > like this: > > > > auth required pam_listfile.so onerr=fail item=group > > sense=allow file=/etc/login.group.allowed > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth sufficient pam_ldap.so use_first_pass > > auth requisite pam_succeed_if.so uid>= 500 quiet > > auth required pam_deny.so > > > > If a user's UID is in a memberUID field of an objectClass=posixGroup in > > LDAP (ou=Groups,o=XXXX), he can log in via SSH. If he's not in one of > > the groups enumerated in /etc/login.group.allowed, he's denied... UNLESS > > he has a public key in his ~/.ssh/authorized_keys file. If that is the > > case, he's allowed to log in with no problems, even if he's not in an > > allowed group. > > Sudo (which is also controlled by LDAP) works correctly, i.e. if a user > > is not in an allowed group, but logs into the system anyway due to an > > authorized_keys entry, he will not be allowed to sudo execute anything. > > > > The problem is that I have users with keys in place already. We have > > automated processes that use these keys, so I can't be draconian and > > disallow key usage. On the other hand, I have a fairly fluid set of > > people moving into and out of groups, so I need to be able to control > > access to these machines regardless of whether there is a key in > > authorized_keys. > > > > Has anyone seen this before, or is there a way that I can re-order my pam > > config to force SSH to respect the group membership requirements? > > I'd suggest you checking users being allowed/denied in the account stack, > instead of the auth one. Superb. That did the trick. I appreciate the help. The account stack now looks like this: account required pam_unix.so account required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_ldap.so account required pam_permit.so John Gorkos _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list