Suppose you want to limit access to some servers, only people member of a specific group (or multiple groups) may log in.
The following is one way to tackle this. In this example I will
ssh access in such a way that only people from the
admin group can login. The nice thing is that this will work
regardless of any Kerberos or LDAP usage.
/etc/pam.d find the “service” which you want to add a group
policy to. For instance
sshd, edit that file (this is with Ubuntu):
Remove the comment so that, this:
# Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so
# Uncomment and edit /etc/security/access.conf if you need to set # complex # access limits that are hard to express in sshd_config. account required pam_access.so
After that you can edit
The actual policy is set in the
access.conf file located in
/etc/security. Currently the fall-through behavior is to
let everybody log in. So first we want make sure nobody
can login. Per line there are several columns, the columns are
separated with colons and have the following meaning (also
+/- : WHO : WHERE
+ means access granted, a
- means denied.
WHO can be
a user or a group and
WHERE is used (among other things) to
say you can only login from a specific ip address. The whole
syntax reminds me of TCPD wrappers.
So to disallow logins
access.conf should only have one
- : ALL : ALL
This means nobody can login:
% slogin miekg@localhost A T O O M --- foton.atoom.net $Hash: sshd_banner b93d7ef 1230802346 miekg $ miekg@localhost's password: Connection closed by 127.0.0.1
Yep, that works.
Now we extend
access.conf to only allow me (miekg) to login:
+ : miekg: ALL - : ALL : ALL
slogin confirms that I’m now able to login.
Now only people in the
admin group are allowed:
+ : (admin) : ALL - : miekg : ALL - : ALL : ALL
Notice that the
miekg-entry is still there, but it will never be
reached because I’m also a member of the
admin group. And indeed
I can now login with ssh.
To use multiple groups you can use the following:
+ : (admin) (root) : ALL
This means if you are a member of
root you are allowed to
login. I have yet to think of a way to say you must be a member of