Linux PAM configuration that allows or deny login via the sshd server
2012-03-31 03:09
423 查看
The idea is very simple you want to limit who can use sshd based on a list of users. The text file contains a list of users that may not log in (or allowed to log in) using the SSH server. This is used for improving security.PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.
Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
Read this Linux-PAM configuration file syntax guide
Now continue reading below for pam_listfile.so configration...
item=user : Check the username
sense=deny : Deny user if existing in specified file
file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
Permission denied (publickey,keyboard-interactive).Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
item=user : Check or specify the username
sense=allow : Allow user if existing in specified file
file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.
A note for new sys admins
Backup all data and PAM configuration files before any modification :)Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
Read this Linux-PAM configuration file syntax guide
Now continue reading below for pam_listfile.so configration...
Use of pam_listfile.so module
This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.How do I configure pam_listfile.so module to deny access?
You want to block a user, if user-name exists in a file /etc/sshd/sshd.deny file.Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)# vi /etc/pam.d/sshAppend following line:
auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeedSave and close the fileNow add all usernames to /etc/sshd/sshd.deny file. Now a user is denied to login via sshd if they are listed in this file:
# vi /etc/sshd/sshd.denyAppend username per line:
user1 user2 ...Restart sshd service:
# /etc/init.d/sshd restartUnderstanding the config directives:auth required pam_listfile.so : Name of module required while authenticating users.
item=user : Check the username
sense=deny : Deny user if existing in specified file
file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.
How do I configure pam_listfile.so module to allow access?
You want to ALLOW a user to use ssh, if user-name exists in a file /etc/sshd/sshd.allow file.Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/sshAppend following line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=failSave and close the file.Now add all usernames to /etc/sshd/sshd.allow file. Now a user is allowed to login via sshd if they are listed in this file.
# vi /etc/sshd/sshd.allowAppend username per line:
tony om rockyRestart sshd service (optional):
# /etc/init.d/sshd restartNow if paul try to login using ssh he will get an error:
Permission denied (publickey,keyboard-interactive).Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
tail -f /var/log/auth.logOutput:
Jul 30 23:07:40 p5www2 sshd[12611]: PAM-listfile: Refused user paul for service ssh Jul 30 23:07:42 p5www2 sshd[12606]: error: PAM: Authentication failure for paul from 125.12.xx.xxUnderstanding the config directives:auth required pam_listfile.so : Name of module required while authenticating users.
item=user : Check or specify the username
sense=allow : Allow user if existing in specified file
file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.
相关文章推荐
- You must configure either the server or JDBC driver (via the serverTimezone configuration property)
- Cannot connect to WMI provider.You do not have permission or the server is unreachable.Note that you can only manager SQL Server 2005 and later version with SQL Server Configuration Manager.Invalid namespace [0x8004100e]
- There are no resources that can be added or removed from the server. .
- There are no resources that can be added or removed from the server
- There are no resources that can be added or removed from the server
- Mysql Administrator 登陆提示“either the server service or the configuration file
- mysql报错:could not find settings Either the server service or the configuration file could not be fou
- linux下安装vmware Could not open /dev/vmmon: No such file or directory. Please make sure that the kerne
- Eclipse 报错There are no resources that can be added or removed from the server
- Tomcat添加web项目出现There are no resources that can be added or removed from the server
- tomcat启动时出现There are no resources that can be added or removed from the server.
- The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server databas
- eclise 部署web工程报 There are no resources that can be added or removed from the server.
- There are no resources that can be added or removed from the server
- 【tomcat】There are no resources that can be added or removed from the server. .
- Apache Error: Invalid command ‘Allow’, perhaps misspelled or defined by a module not included in the server configuration
- 【问题】There are no resources that can be added or removed from the server
- The server cannot or will not process the request due to something that is perceived to be a client
- eclise 部署web工程报 There are no resources that can be added or removed from the server.
- [Ubuntu] Invalid command 'VirtualDocumentRoot', perhaps misspelled or defined by a module not included in the server configuration