- Pluggable Authentication Modules
- PAM OVERVIEW
- PAM Configuration
- PAM ADMINISTRATION
- PAM and Passwords
- PAM and Passwords Summary
- PAM and login
- Time and Resource Limits
- Access Control with pam_listfile
- PAM and su
- Using pam_access
- Using pam_lastlog
- Using pam_rhosts_auth
- One-Time Password Support
- PAM and the other Configuration File
- Additional PAM Options
- PAM LOGS
- AVAILABLE PAM MODULES
- PAM-AWARE APPLICATIONS
- IMPORTANT NOTES ABOUT CONFIGURING PAM
- THE FUTURE OF PAM
- FOR FURTHER READING
- On-Line Documentation
The pam_access module is another access control module. It is similar to pam_listfile in that it is a generic access control mechanism. It differs from pam_listfile, however, in two ways. First, it supports only module type account. Essentially, this difference means that we have similar access control functionality available to use for module type auth (pam_listfile) and module type account (pam_access). This allows us to control applications that do not support one or the other module type. An example of such a situation is given in the section Further Restricting Access with PAM on page 304 in Chapter 11.
Second, it requires the configuration file, /etc/security/access.conf. Entries in this file are of the form permission : users : origins
Each of the fields in /etc/security/access.conf are described in Table 5.12. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.
For example, suppose that you wish to restrict login access to certain users from certain hosts on a particular system; let's call the local host pyramid. Example 5-21 illustrates a sample /etc/security/access.conf file that provides access restrictions on pyramid. The line numbers in Example 5-21 are provided for clarity and are not part of the file. In this case, line 2 disallows all access from the domains, evil.com and spam.org. Line 3 disallows all access at the console except by root. Line 4 grants access to all users except root if the connection is arriving from the 172.17.0.0 network. Line 5 grants access to all members of the wheel group and to the user paul from the host leghorn. Line 6 denies all other access.
Table 5.12 Fields in /etc/security/access.conf
Either + indicating access is allowed or indicating access is denied.
A space-separated list of usernames, groupnames, or netgroups. All netgroup names must be preceded by @. The special wildcard ALL may also be used to always match in this field. You may also use the special keyword EXCEPT to conditionalize a list.
A space-separated list of ttynames, hostnames, domainnames (any name beginning with a "."), or network addresses (the network portion of the IP address ending in a "."). The wildcards ALL (which always matches) and LOCAL (which matches any name not ending with a ".") may also be used. You may also use the special keyword EXCEPT to conditionalize a list.
Example 5-21 Sample /etc/security/access.conf File
1. # access.conf file 2. -:ALL:.evil.com .spam.org 3. -:ALL EXCEPT root: tty1 4. +:ALL EXCEPT root:172.17. 5. +:wheel paul:leghorn 6. -:ALL:ALL
Now, simply add the line
Account required /lib/security/pam_access.so
as desired to any of the configuration files in the /etc/pam.d directory.
Example 5-22 shows this entry in bold in the /etc/pam.d/login file.
Example 5-22 Adding pam_access to the /etc/pam.d/login File
auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so account required /lib/security/pam_access.so password required /lib/security/pam_cracklib.so minlen=20 retry=3 type=SECRET password required /lib/security/pam_pwdb.so md5 use_authtok session required /lib/security/pam_pwdb.so
Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.
Example 5-23 Failed Login Attempt Due to pam_access
pyramid login: paul Password: Permission denied pyramid login:
All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.