I get a security request that, in order to be able to ssh to the server,
user u2 has to ssh from some hosts assigned to u2, and user u3 has to be
from some hosts assigned to u3.
Any other users are not limited by this rule. So I modify
/etc/pam.d/sshd as below:
#%PAM-1.0
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
#auth requisite pam_succeed_if.so debug uid >= 500
#auth required pam_deny.so
# start customizing
auth [success=ok default=1] pam_succeed_if.so debug user = u3
auth [success=done default=die] pam_listfile.so item=rhost
sense=allow file=/etc/ssh/u3_hosts
auth [success=ok default=1] pam_succeed_if.so debug user = u2
auth [success=done default=die] pam_listfile.so item=rhost
sense=allow file=/etc/ssh/u2_hosts
auth sufficient pam_allow.so
# end customizing
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
The first four auth lines are from system-auth with the second auth
modified from "sufficient" to "required" to allow the authentication
process to go down checking for users u2 and u3.
The next five auth lines are added to authenticate u2 and u3, with
u2_hosts and u3_hosts have hosts allowed for u2 and u3 correspondingly.
My test shows it satisfies the request. Does it expose any security
problem ?
Or any better way to do it ?
Any advice would be much appreciated.
Vu
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
