[CentOS] pam_access not working?

Thu Nov 30 15:35:19 UTC 2006
Morten Kjeldgaard <mok at bioxray.dk>

Barry wrote:
> Is there a reverse DNS entry for the machine you are denying yourself 
> from?  Try using the ip address instead of the hostname so we can 
> eliminate that from the equation.
OK, good point! I changed the entry in /etc/security/access.conf to

-:mok:beast

(instead of -:mok:10.14.44.104)
> I've just had a play on a test system and I seem to have it working.
... and setup the sshd with UsePAM yes like suggested by Will, and now 
the setup WORKS!

We _do_ have reverse IP lookup, but perhaps the reverse lookup and the 
authentication do not agree on whether to use a FQDN or the short form. 
Anyhow, using the short form works in our setup. So, now that it works, 
I could test to see what breaks it again, and it is definitely important 
to have the "UsePAM yes" line in sshd_config.

> [user at client ~]$ ssh -ltestuser 192.168.24.112
> Password:
> Password:
> Password:
> Permission denied (publickey,keyboard-interactive).
I get the same (unfriendly) message. It would be nice to be able to 
print a message to the user, explaining why access is denied. Otherwise 
we will have users standing in lines demanding an explanation. I guess 
it is possible with some sneaky pam engineering, I will look into that next.

Thanks for the help!
Cheers,
Morten

-- 
Morten Kjeldgaard, Asc. professor, Ph.D.
Department of Molecular Biology, Aarhus University
Gustav Wieds Vej 10 C, DK-8000 Aarhus C, Denmark
Lab +45 89425026 * Mobile +45 51860147 * Fax +45 86123178
Home +45 86188180 * http://www.bioxray.dk/~mok