pam_access.so module does not check hostname portion of netgroup

Solution Verified - Updated -

Issue

When we use @netgroup format to restrict access to machines, pam_access does not check the host part, it grands access if the username matches the user value in netgroup

For example:

using netgroup named hbacl and it's visible on the Linux machine.

    # getent netgroup hbacl
    hbacl                 (server04.example.com, iuser1, )
    //here is the corresponding entry in ldap.
    # ldapsearch -LLL -x -b "cn=hbacl,ou=netgroup,dc=example,dc=com"
    # hbacl, netgroup, tech.com
    dn: cn=hbacl,ou=netgroup,dc=example,dc=com
    objectClass: nisNetgroup
    objectClass: top
    cn: hbacl
    nisNetgroupTriple: (server04.example.com,iuser1,)

Using the following entry on server07 ( from /etc/security/access.conf)

    -:root:ALL EXCEPT cron crond xymon
    +:@hbacl:ALL
    -:ALL:ALL

And it allows user iuser1 to login to server07. Per the access.conf entry, the user iuser1 can login to server04, not on server07.

Here is the /var/log/secure entries during the login.

    pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.34  user=iuser1
    pam_access(sshd:account): login_access: user=iuser1, from=192.168.0.34, file=/etc/security/access.conf
    pam_access(sshd:account): line 116: - : root : ALL EXCEPT cron crond xymon
    pam_access(sshd:account): user_match: tok=root, item=iuser1
    pam_access(sshd:account): string_match: tok=root, item=iuser1
    pam_access(sshd:account): user_match=0, "iuser1"
    pam_access(sshd:account): line 117: + : @hbacl : ALL
    pam_access(sshd:account): user_match: tok=@hbacl, item=iuser1
    pam_access(sshd:account): netgroup_match: 1 (group=hbacl, machine=NULL, user=iuser1, domain=NULL)
    pam_access(sshd:account): user_match=1, "iuser1"
    pam_access(sshd:account): from_match: tok=ALL, item=192.168.0.34
    pam_access(sshd:account): string_match: tok=ALL, item=192.168.0.34
    pam_access(sshd:account): from_match=2, "192.168.0.34"
    Accepted password for iuser1 from 192.168.0.34 port 12043 ssh2
    pam_unix(sshd:session): session opened for user iuser1 by (uid=0)

Environment

  • Red Hat Enterprise Linux 5/6
  • pam_access

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content