# Group policy in Linux Suppose you want to limit access to some servers, only people member of a specific group (or multiple groups) may log in. The following is one way to tackle this. In this example I will configure `ssh` access in such a way that only people from the `admin` group can login. The nice thing is that this will work regardless of any Kerberos or LDAP usage. # Preparation In `/etc/pam.d` find the "service" which you want to add a group policy to. For instance `sshd`, edit that file (this is with Ubuntu): Remove the comment so that, this: # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so becomes: # Uncomment and edit /etc/security/access.conf if you need to set # complex # access limits that are hard to express in sshd_config. account required pam_access.so After that you can edit `/etc/security/access.conf`. Setting policy The actual policy is set in the `access.conf` file located in `/etc/security`. Currently the *fall-through* behavior is to let everybody log in. So first we want make sure *nobody* can login. Per line there are several columns, the columns are separated with colons and have the following meaning (also see *access.conf(5)*). +/- : WHO : WHERE A `+` means access granted, a `-` means denied. `WHO` can be a user or a group and `WHERE` is used (among other things) to say you can only login from a specific ip address. The whole syntax reminds me of TCPD wrappers. So to disallow logins `access.conf` should only have one line: - : ALL : ALL This means nobody can login: % slogin miekg@localhost A T O O M --- foton.atoom.net $Hash: sshd_banner b93d7ef 1230802346 miekg $ miekg@localhost's password: Connection closed by 127.0.0.1 Yep, that works. Now we extend `access.conf` to only allow me (**miekg**) to login: + : miekg: ALL - : ALL : ALL Testing with `slogin` confirms that I'm now able to login. Now only people in the `admin` group are allowed: + : (admin) : ALL - : miekg : ALL - : ALL : ALL Notice that the `miekg`-entry is still there, but it will never be reached because I'm also a member of the `admin` group. And indeed I can now login with ssh. To use multiple groups you can use the following: + : (admin) (root) : ALL This means if you are a member of `admin` *or* `root` you are allowed to login. I have yet to think of a way to say you must be a member of *both* groups.