Limit SSH users with PAM

PAM (Pluggable Authentication Module) can be used to limit users who have access to a certain service based on a list. For example, you can limit SSH connections via PAM.

In "/etc/pam.d/sshd", add the following line:

auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist

This will allow a user to login via sshd if they are listed in the "/etc/ssh_allow.pamlist" file. The options specified have the following meanings:

  • onerr=fail -- If an error occurs (file specified is not found or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for onerr is "succeed".
  • item=user -- Testing or verifythe user's login name.
  • sense=allow -- If the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for sense is "deny".
  • file=/etc/ssh_allow.pamlist -- This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.

With that, the "/etc/pam.d/sshd" will look like:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       required     pam_listfile.so onerr=fail item=user \
                          sense=allow file=/etc/ssh_allow.pamlist
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

Put the valid SSH users in the "/etc/ssh_allow.pamlist" file. Each username should be on a new line.

Related Reading:

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
you just add the following

you just add the following statements at the first line

auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed

The pam excute sequence is line from top to button

Comment