[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restrict Access to Hosts

On Mon, 22 Apr 2002 thomas.emde@scaleon.de wrote:

> I manage linux users in an LDAP directory and want to restrict the access of
> certain users to certain hosts.
> I have setup /etc/pam.d/sshd on the host to which the user accesses as follows:
> #%PAM-1.0
> auth     required       /lib/security/pam_ldap.so
> auth     required       /lib/security/pam_unix.so       # set_secrpc
> auth     required       /lib/security/pam_nologin.so
> auth     required       /lib/security/pam_env.so
> auth     required       /lib/security/pam_mail.so
> account  sufficient     /lib/security/pam_ldap.so
> account  required       /lib/security/pam_unix.so
> password required       /lib/security/pam_pwcheck.so
> password required       /lib/security/pam_unix.so       use_first_pass
> use_authtok
> password sufficient     /lib/security/pam_ldap.so
> session  required       /lib/security/pam_unix.so       none # trace or debug
> session  required       /lib/security/pam_limits.so
> The access control part in my ldap server config file looks like this:
> defaultaccess none
> access to attr=userPassword
>         by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
>         by self write
>         by anonymous auth
> access to *
>         by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
>         by self write
>         by * read
> With this configuration the access restriction to hosts listed via a "host"
> attribute in the ldap entry of the user works fine.
> But, now it is not possible for a "normal" passwd-user to log into the machine.

Right.  This is because with:

auth     required       /lib/security/pam_ldap.so

... you are requiring the user to authenticate against the LDAP server.  If
they don't authenticate (because they only have an account in /etc/passwd,
for example) then the authentication check fails and the user is denied

> If I change the "auth required" for pam_ldap.so
> into an "auth sufficient", then both types of users can log in, but the "host"
> attribute is ignored, probably due to the "anonymous auth"
> access directive in the ldap config.

Probably not.  I presume you're using nssldap?  When pam_ldap checked
the account it respected the host attribute.  But since pam_ldap is
only 'sufficient' is checks for an account via pam_unix, and I suspect
you have 'ldap' in your /etc/nsswitch.conf file.  Unfortunately nssldap
*doesn't* check the host attribute (or groupdn if you're using that for
host access), sees that there's an account, and allows the login.

Changing the account check to:

account  required     /lib/security/pam_ldap.so

... will allow the host access to work but then users in the /etc/passwd
file can't login.

Solutions?  For the account check you need to check only the local
files.  You can use pam_pwdb or pam_localuser:


account  required       /lib/security/pam_unix.so


account  required       /lib/security/pam_pwdb.so


account  required       /lib/security/pam_localuser.so

Unfortunately I'm using Debian (Woody) GNU/Linux which has phased
out pam_pwdb and doesn't come with pam_localuser.  I haven't found
an ideal workaround that doesn't involve trying to shoehorn in additional
PAM modules that would have to be manually maintained rather than using
the otherwise excellent Debian packaging system.

Hope this helps,

Dan Parker
Sr. Systems Administrator
Hampshire College
Amherst, MA