[CentOS] pam_access.so restrictions not working - syntax errors?
Dirk H. Schulz
dirk.schulz at kinzesberg.de
Fri Mar 20 14:49:28 UTC 2009
I want to restrict root access via ssh to certain (internal) hosts.
That is what pam_access.so is for, I thought, so I configured:
in /etc/security/access.conf I added (nothing in there before):
+ : root : 192.168.123.0/24 10.72.0.0/16
- : root : ALL
in /etc/pam.d/ssh I added at the end:
account required pam_access.so
Then I restarted the ssh server.
Basically, this kinda works. Cron suddenly had no right to do it's
job, so I had to add
+ : root : LOCAL
But there still is no restriction on ssh logins by root - I can still
login from anywhere.
Next I tried putting it in one line in /etc/security/access.conf:
- : root : ALL EXCEPT LOCAL 192.168.123.0/24 10.72.0.0/16
That did not change anything, still I can log in via ssh.
I am stuck. According to documentation and the examples on the net
this should be the right syntax. And, by the way, in my /etc/ssh/
sshd_config I have "UsePAM yes".
Any help or hint is appreciated.
More information about the CentOS