pam_access.so module does not check hostname portion of netgroup
Issue
When we use @netgroup format to restrict access to machines, pam_access does not check the host part, it grands access if the username matches the user value in netgroup
For example:
using netgroup named hbacl and it's visible on the Linux machine.
# getent netgroup hbacl
hbacl (server04.example.com, iuser1, )
//here is the corresponding entry in ldap.
# ldapsearch -LLL -x -b "cn=hbacl,ou=netgroup,dc=example,dc=com"
# hbacl, netgroup, tech.com
dn: cn=hbacl,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: hbacl
nisNetgroupTriple: (server04.example.com,iuser1,)
Using the following entry on server07 ( from /etc/security/access.conf)
-:root:ALL EXCEPT cron crond xymon
+:@hbacl:ALL
-:ALL:ALL
And it allows user iuser1 to login to server07. Per the access.conf entry, the user iuser1 can login to server04, not on server07.
Here is the /var/log/secure entries during the login.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.34 user=iuser1
pam_access(sshd:account): login_access: user=iuser1, from=192.168.0.34, file=/etc/security/access.conf
pam_access(sshd:account): line 116: - : root : ALL EXCEPT cron crond xymon
pam_access(sshd:account): user_match: tok=root, item=iuser1
pam_access(sshd:account): string_match: tok=root, item=iuser1
pam_access(sshd:account): user_match=0, "iuser1"
pam_access(sshd:account): line 117: + : @hbacl : ALL
pam_access(sshd:account): user_match: tok=@hbacl, item=iuser1
pam_access(sshd:account): netgroup_match: 1 (group=hbacl, machine=NULL, user=iuser1, domain=NULL)
pam_access(sshd:account): user_match=1, "iuser1"
pam_access(sshd:account): from_match: tok=ALL, item=192.168.0.34
pam_access(sshd:account): string_match: tok=ALL, item=192.168.0.34
pam_access(sshd:account): from_match=2, "192.168.0.34"
Accepted password for iuser1 from 192.168.0.34 port 12043 ssh2
pam_unix(sshd:session): session opened for user iuser1 by (uid=0)
Environment
- Red Hat Enterprise Linux 5/6
- pam_access
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
