Activities

May 2008
M T W T F S S
« Mar   Jun »
 1234
567891011
12131415161718
19202122232425
262728293031  

SSH -Advanced Access control

On a production server, authorized login can come from any networked computer. Therefore, it is important to have tight control over users who are allowed to connect server via OpenSSH server.

How do I configure pam_access?

You need to edit following files:

1. */etc/pam.d/sshd* – Linux PAM configuration file.
2. */etc/security/access.conf * – By default rules for access
management are taken from configuration this file. When someone
logs in, the entry in this scanned and matched against rule. You
can specify whether the login will be accepted or refused to user.
General syntax is as follows:
permission : username: origins

Where,

* permission : Permission field should be a “+” (access granted) or
“-” (access denied)
character.
* username : Linux system username/login name such as root, vivek
etc. You can also specify group names. You can also use special
keywod ALL (to match all username).
* origins : It is a list of one ore more tty names, host name, IP
address, domain names that begin with . or special key words ALL
or LOCAL

Let us say you want to allow user root and vivek login from IP address 202.54.1.20 only.

Open file /etc/security/access.conf

# vi /etc/security/access.conf

Append following line:

-: ALL EXCEPT root vivek:202.54.1.20

Save the file and Open /etc/pam.d/sshd file :

# vi /etc/pam.d/sshd

Append following entry

account required pam_access.so

Save and close the file.

Now ssh will only accept login access from root/vivek from IP address 202.54.1.20. Now if user vivek (or root) try to login ssh server from IP address 203.111.12.3 he will get
‘/Connection closed by xxx.xxx.xx.xx/’; error and following log entry should be written to your log file:

# tail -f /var/log/message

Output:

Aug 2 19:02:39 web02 pam_access[2091]: access denied for user `vivek’ from `203.111.12.3

Remember, as soon as you save changes to /etc/security/access.conf, they are applied by PAM configuration. So be careful when writing rules.

More examples

a) I need something that allows me to say: allow any users except root from anywhere, and root only from localhost.

-:root:ALL EXCEPT LOCAL

OR

-:root:ALL EXCEPT localhost

b) Deny network and local login to all users except for user root and vivek:

-:ALL EXCEPT root vivek:ALL

c) Only allow root user login from 192.168.1.0/24 network:

+ : root : 192.168.1.0/24

Please note that this kind of restriction can be applied to any PAM aware application/service such as ftpd, telnet etc.

The reason I choose this method is that I wanted to restrict access to a particular user from everywhere except localhost.

“Thanks Mithun for sharing this idea”

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>