[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] a PAM question



vu pham wrote:
> I get a security request that, in order to be able to ssh to the
> server, user u2 has to ssh from some hosts assigned to u2, and user u3
> has to be from some hosts assigned to u3.
> Any other users are not limited by this rule. So I modify
> /etc/pam.d/sshd as below:
>
> #%PAM-1.0
> auth        required      pam_env.so
> auth        required      pam_unix.so nullok try_first_pass
> #auth        requisite     pam_succeed_if.so debug uid >= 500
> #auth        required      pam_deny.so
>
> # start customizing
> auth       [success=ok default=1]   pam_succeed_if.so debug user = u3
> auth       [success=done default=die]   pam_listfile.so  item=rhost
> sense=allow file=/etc/ssh/u3_hosts
> auth       [success=ok default=1] pam_succeed_if.so debug user = u2
> auth       [success=done default=die]   pam_listfile.so  item=rhost
> sense=allow file=/etc/ssh/u2_hosts
> auth       sufficient  pam_allow.so
> # end  customizing
>
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
>
>
> The first four auth lines are from system-auth with the second auth 
> modified from "sufficient" to "required" to allow the authentication
> process to go down checking for users u2 and u3.
> The next five auth lines are added to authenticate u2 and u3, with
> u2_hosts and u3_hosts have hosts allowed for u2 and u3 correspondingly.
>
> My test shows it satisfies the request. Does it expose any security
> problem ?
> Or any better way to do it ?
>
> Any advice would be much appreciated.
what about using the "AllowUser USER HOST" option in /etc/ssh/sshd_config?

If you use ssh keys or kerberos ticket forwarding, then I think that PAM
is bypassed entirely depending on your sshd config. check the "UsePAM"
sshd option.

Jason


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]