[CentOS] pam_access not working?

Will McDonald wmcdonald at gmail.com
Thu Nov 30 14:26:26 UTC 2006

On 30/11/06, Morten Kjeldgaard <mok at bioxray.dk> wrote:
> Big thanks to Barry Brimer and Will McDonald for your suggestions!

No problem.

> I had big hopes for the "UsePAM  yes" in sshd_config since I was not
> aware of that option, and it seemed like THE solution. However, tried
> it, restarted the sshd daemon but still the same, I can still log on.
> Totally strange.

I've just had a play on a test system and I seem to have it working.

[root at server ~]# grep -v ^# /etc/ssh/sshd_config

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
IgnoreRhosts yes
PasswordAuthentication no
UsePAM yes
LogLevel DEBUG
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

[root at server ~]# grep -v ^# /etc/security/access.conf

[root at server ~]# grep -v ^# /etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/pam_access.so
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

So that's nothing in access.conf, all I've added in system-auth is
"account     required      /lib/security/pam_access.so" as in your
example, though that was a default setup which has more that yours
appears to.

The sshd_config is tailored by my Kickstart and from that I've added

UsePAM yes
LogLevel DEBUG

You don't want to run with LogLevel DEBUG under normal circumstances.

Note, the man page states you need either PasswordAuthentication or
ChallengeResponseAuthentication disabled, too.

[user at client ~]$ ssh -ltestuser
Last login: Thu Nov 30 14:11:58 2006 from client
[testuser at server ~]$ exit
Connection to closed.

That's me authed and connected, which that SSH configuration typically
wouldn't have allowed without PAM enabled since its keys-only.

Now add an entry into access.conf.

[root at server ~]# grep -v ^# /etc/security/access.conf

[user at client ~]$ ssh -ltestuser
Permission denied (publickey,keyboard-interactive).

More information about the CentOS mailing list