[CentOS] pam_access not working?

Thu Nov 30 14:26:26 UTC 2006
Will McDonald <wmcdonald at gmail.com>

On 30/11/06, Morten Kjeldgaard <mok at bioxray.dk> wrote:
>
> Big thanks to Barry Brimer and Will McDonald for your suggestions!

No problem.

> I had big hopes for the "UsePAM  yes" in sshd_config since I was not
> aware of that option, and it seemed like THE solution. However, tried
> it, restarted the sshd daemon but still the same, I can still log on.
> Totally strange.

I've just had a play on a test system and I seem to have it working.

[root at server ~]# grep -v ^# /etc/ssh/sshd_config

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
IgnoreRhosts yes
PasswordAuthentication no
UsePAM yes
LogLevel DEBUG
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

[root at server ~]# grep -v ^# /etc/security/access.conf

[root at server ~]# grep -v ^# /etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/pam_access.so
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

So that's nothing in access.conf, all I've added in system-auth is
"account     required      /lib/security/pam_access.so" as in your
example, though that was a default setup which has more that yours
appears to.

The sshd_config is tailored by my Kickstart and from that I've added

UsePAM yes
LogLevel DEBUG

You don't want to run with LogLevel DEBUG under normal circumstances.

Note, the man page states you need either PasswordAuthentication or
ChallengeResponseAuthentication disabled, too.

[user at client ~]$ ssh -ltestuser 192.168.24.112
Password:
Last login: Thu Nov 30 14:11:58 2006 from client
[testuser at server ~]$ exit
Connection to 192.168.24.112 closed.

That's me authed and connected, which that SSH configuration typically
wouldn't have allowed without PAM enabled since its keys-only.

Now add an entry into access.conf.

[root at server ~]# grep -v ^# /etc/security/access.conf
-:testuser:ALL

[user at client ~]$ ssh -ltestuser 192.168.24.112
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).