vu pham wrote: > I get a security request that, in order to be able to ssh to the > server, user u2 has to ssh from some hosts assigned to u2, and user u3 > has to be from some hosts assigned to u3. > Any other users are not limited by this rule. So I modify > /etc/pam.d/sshd as below: > > #%PAM-1.0 > auth required pam_env.so > auth required pam_unix.so nullok try_first_pass > #auth requisite pam_succeed_if.so debug uid >= 500 > #auth required pam_deny.so > > # start customizing > auth [success=ok default=1] pam_succeed_if.so debug user = u3 > auth [success=done default=die] pam_listfile.so item=rhost > sense=allow file=/etc/ssh/u3_hosts > auth [success=ok default=1] pam_succeed_if.so debug user = u2 > auth [success=done default=die] pam_listfile.so item=rhost > sense=allow file=/etc/ssh/u2_hosts > auth sufficient pam_allow.so > # end customizing > > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > > The first four auth lines are from system-auth with the second auth > modified from "sufficient" to "required" to allow the authentication > process to go down checking for users u2 and u3. > The next five auth lines are added to authenticate u2 and u3, with > u2_hosts and u3_hosts have hosts allowed for u2 and u3 correspondingly. > > My test shows it satisfies the request. Does it expose any security > problem ? > Or any better way to do it ? > > Any advice would be much appreciated. what about using the "AllowUser u...@host" option in /etc/ssh/sshd_config?
If you use ssh keys or kerberos ticket forwarding, then I think that PAM is bypassed entirely depending on your sshd config. check the "UsePAM" sshd option. Jason _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
