System is not considering restrictions in /etc/security/access.conf file.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Issue

  • While adding restrictions in /etc/security/access.conf file, User is still able to perform those specific tasks.

For example:

Below rule, Restrict root user access on Server, However, Root user login still works.

  # tail -1 /etc/security/access.conf 
  -:root: ALL EXCEPT LOCAL

Resolution

  1. Configure /etc/pam.d/password-auth and /etc/pam.d/system-auth to use pam_access.so module for restricting access based upon the restrictions defined in /etc/security/access.conf file.
  account     required      pam_access.so     <---- Add this line in account section
  account     required      pam_unix.so <----------- Add above this line.
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     required      pam_permit.so
  1. Configure sshd service to use PAM by adding/modifying parameter UsePAM in /etc/ssh/sshd_config file:
  # vim /etc/ssh/sshd_config 
  UsePAM  yes

Diagnostic Steps

  • Check if pam_access.so is defined in PAM stack
  # cat /etc/pam.d/system-auth
  ..snip...
  account     required      pam_unix.so
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     required      pam_permit.so

As per above, We can see that pam_access.so is not present in PAM configuration.

  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments