Re: [rhelv5-list] a PAM question

Tue, 17 Feb 2009 09:42:58 -0800 

On Tue, Feb 17, 2009 at 18:27, vu pham <[email protected]> wrote:
> I get a security request that, in order to be able to ssh to the server,
> user u2 has to ssh from some hosts assigned to u2, and user u3 has to be
> from some hosts assigned to u3.
> Any other users are not limited by this rule. So I modify /etc/pam.d/sshd as
> below:
>
> #%PAM-1.0
> auth        required      pam_env.so
> auth        required      pam_unix.so nullok try_first_pass
> #auth        requisite     pam_succeed_if.so debug uid >= 500
> #auth        required      pam_deny.so
>
> # start customizing
> auth       [success=ok default=1]   pam_succeed_if.so debug user = u3
> auth       [success=done default=die]   pam_listfile.so  item=rhost
> sense=allow file=/etc/ssh/u3_hosts
> auth       [success=ok default=1] pam_succeed_if.so debug user = u2
> auth       [success=done default=die]   pam_listfile.so  item=rhost
> sense=allow file=/etc/ssh/u2_hosts
> auth       sufficient  pam_allow.so
> # end  customizing
>
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
>
>
> The first four auth lines are from system-auth with the second auth
>  modified from "sufficient" to "required" to allow the authentication
> process to go down checking for users u2 and u3.
> The next five auth lines are added to authenticate u2 and u3, with u2_hosts
> and u3_hosts have hosts allowed for u2 and u3 correspondingly.
>
> My test shows it satisfies the request. Does it expose any security problem
> ?
> Or any better way to do it ?
>
I don't know if your solution presents any security problem (it might)
but probably a much easier and cleaner way of accomplishing the same
thing is to use pam_access. Have a look at pam_access(8) and
access.conf(5) or /usr/share/doc/pam-*/txts/README.pam_access.

I haven't used it in some time but basically you should be able to use
lines like the following in /etc/security/access.conf:

+:u2:host2
+:u3:host3

Cheers,

Lars
-- 
Lars Delhage RHC{E,X,A,SS} CL{P,E}{9,10} CNI LPIC-2.tel: +46 8 458 78 10
Nohup AB, Stortorget 1, 111 29 Stockholm           mob: +46 70 781 60 69
GPG ID: 569492FE                                url :http://www.nohup.se

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to