Home > Articles > Programming > Android

  • Print
  • + Share This

Using pam_access

The pam_access module is another access control module. It is similar to pam_listfile in that it is a generic access control mechanism. It differs from pam_listfile, however, in two ways. First, it supports only module type account. Essentially, this difference means that we have similar access control functionality available to use for module type auth (pam_listfile) and module type account (pam_access). This allows us to control applications that do not support one or the other module type. An example of such a situation is given in the section Further Restricting Access with PAM on page 304 in Chapter 11.

Second, it requires the configuration file, /etc/security/access.conf. Entries in this file are of the form permission : users : origins

Each of the fields in /etc/security/access.conf are described in Table 5.12. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.

For example, suppose that you wish to restrict login access to certain users from certain hosts on a particular system; let's call the local host pyramid. Example 5-21 illustrates a sample /etc/security/access.conf file that provides access restrictions on pyramid. The line numbers in Example 5-21 are provided for clarity and are not part of the file. In this case, line 2 disallows all access from the domains, evil.com and spam.org. Line 3 disallows all access at the console except by root. Line 4 grants access to all users except root if the connection is arriving from the network. Line 5 grants access to all members of the wheel group and to the user paul from the host leghorn. Line 6 denies all other access.

Table 5.12 Fields in /etc/security/access.conf




Either + indicating access is allowed or – indicating access is denied.


A space-separated list of usernames, groupnames, or netgroups. All netgroup names must be preceded by @. The special wildcard ALL may also be used to always match in this field. You may also use the special keyword EXCEPT to conditionalize a list.


A space-separated list of ttynames, hostnames, domainnames (any name beginning with a "."), or network addresses (the network portion of the IP address ending in a "."). The wildcards ALL (which always matches) and LOCAL (which matches any name not ending with a ".") may also be used. You may also use the special keyword EXCEPT to conditionalize a list.

Example 5-21 Sample /etc/security/access.conf File

1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6. -:ALL:ALL

Now, simply add the line

Account  required   /lib/security/pam_access.so

as desired to any of the configuration files in the /etc/pam.d directory.

Example 5-22 shows this entry in bold in the /etc/pam.d/login file.

Example 5-22 Adding pam_access to the /etc/pam.d/login File

auth    required  /lib/security/pam_securetty.so
auth    required  /lib/security/pam_pwdb.so
auth    required  /lib/security/pam_nologin.so
account  required  /lib/security/pam_pwdb.so
account  required  /lib/security/pam_access.so
password  required  /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password  required  /lib/security/pam_pwdb.so md5 use_authtok
session  required  /lib/security/pam_pwdb.so

Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.

Example 5-23 Failed Login Attempt Due to pam_access

pyramid login: paul 

Permission denied 
pyramid login: 

All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.