Group policy in Linux

May 31, 2009

linux

Suppose you want to limit access to some servers, only people member of a specific group (or multiple groups) may log in.

The following is one way to tackle this. In this example I will configure ssh access in such a way that only people from the admin group can login. The nice thing is that this will work regardless of any Kerberos or LDAP usage.

Preparation

In /etc/pam.d find the “service” which you want to add a group policy to. For instance sshd, edit that file (this is with Ubuntu):

Remove the comment so that, this:

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

becomes:

# Uncomment and edit /etc/security/access.conf if you need to set
# complex # access limits that are hard to express in sshd_config.
account  required     pam_access.so

After that you can edit /etc/security/access.conf.

Setting policy

The actual policy is set in the access.conf file located in /etc/security. Currently the fall-through behavior is to let everybody log in. So first we want make sure nobody can login. Per line there are several columns, the columns are separated with colons and have the following meaning (also see access.conf(5)).

+/- : WHO : WHERE

A + means access granted, a - means denied. WHO can be a user or a group and WHERE is used (among other things) to say you can only login from a specific ip address. The whole syntax reminds me of TCPD wrappers.

So to disallow logins access.conf should only have one line:

- : ALL : ALL

This means nobody can login:

% slogin miekg@localhost
 A T O O M  ---  foton.atoom.net

   $Hash: sshd_banner b93d7ef 1230802346 miekg $

miekg@localhost's password: 
Connection closed by 127.0.0.1

Yep, that works.

Now we extend access.conf to only allow me (miekg) to login:

+ : miekg: ALL
- : ALL : ALL

Testing with slogin confirms that I’m now able to login.

Now only people in the admin group are allowed:

+ : (admin) : ALL
- : miekg : ALL
- : ALL : ALL

Notice that the miekg-entry is still there, but it will never be reached because I’m also a member of the admin group. And indeed I can now login with ssh.

To use multiple groups you can use the following:

+ : (admin) (root) : ALL

This means if you are a member of admin or root you are allowed to login. I have yet to think of a way to say you must be a member of both groups.

None