PAM (Pluggable Authentication Module) can be used to limit users who have access to a certain service based on a list. For example, you can limit SSH connections via PAM.
In "/etc/pam.d/sshd", add the following line:
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
This will allow a user to login via sshd if they are listed in the "/etc/ssh_allow.pamlist" file. The options specified have the following meanings:
-
onerr=fail -- If an error occurs (file specified is not found or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for onerr is "succeed".
item=user -- Testing or verifythe user's login name.
sense=allow -- If the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for sense is "deny".
file=/etc/ssh_allow.pamlist -- This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.
With that, the "/etc/pam.d/sshd" will look like:
#%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so auth required pam_listfile.so onerr=fail item=user \ sense=allow file=/etc/ssh_allow.pamlist account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so
Put the valid SSH users in the "/etc/ssh_allow.pamlist" file. Each username should be on a new line.
Related Reading:
- sandip's blog
- Login or register to post comments
Comments
you just add the following statements at the first line
auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed
The pam excute sequence is line from top to button