Access.conf and augeas
Issue
Over the last year I worked with RedHat to find a solution on how to limit user logins to a server in RHEL 6 via LDAP. RedHat recommended to add the following to the /etc/security/access.conf file; this solution works well. I have used the augtool to look at the /etc/security/access.conf file and augtool is complaining about the syntax that was added to restrict logins. Does the augtool lens for access.conf need to be updated???? I have included the access.conf, the augtool output and the augeas access.conf lens. Thank-you
+:root:LOCAL
+:@rhel-app-wirefeed:ALL
-:ALL:ALL
# cat -n /etc/security/access.conf
1 # Login access control table.
2 #
3 # Comment line must start with "#", no space at front.
4 # Order of lines is important.
5 #
6 # When someone logs in, the table is scanned for the first entry that
7 # matches the (user, host) combination, or, in case of non-networked
8 # logins, the first entry that matches the (user, tty) combination. The
9 # permissions field of that table entry determines whether the login will
10 # be accepted or refused.
11 #
12 # Format of the login access control table is three fields separated by a
13 # ":" character:
14 #
15 # [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
16 # module, you can change the field separation character to be
17 # '|'. This is useful for configurations where you are trying to use
18 # pam_access with X applications that provide PAM_TTY values that are
19 # the display variable like "host:0".]
20 #
21 # permission : users : origins
22 #
23 # The first field should be a "+" (access granted) or "-" (access denied)
24 # character.
25 #
26 # The second field should be a list of one or more login names, group
27 # names, or ALL (always matches). A pattern of the form user@host is
28 # matched when the login name matches the "user" part, and when the
29 # "host" part matches the local machine name.
30 #
31 # The third field should be a list of one or more tty names (for
32 # non-networked logins), host names, domain names (begin with "."), host
33 # addresses, internet network numbers (end with "."), ALL (always
34 # matches), NONE (matches no tty on non-networked logins) or
35 # LOCAL (matches any string that does not contain a "." character).
36 #
37 # You can use @netgroupname in host or user patterns; this even works
38 # for @usergroup@@hostgroup patterns.
39 #
40 # The EXCEPT operator makes it possible to write very compact rules.
41 #
42 # The group file is searched only when a name does not match that of the
43 # logged-in user. Both the user's primary group is matched, as well as
44 # groups in which users are explicitly listed.
45 # To avoid problems with accounts, which have the same name as a group,
46 # you can use brackets around group names '(group)' to differentiate.
47 # In this case, you should also set the "nodefgroup" option.
48 #
49 # TTY NAMES: Must be in the form returned by ttyname(3) less the initial
50 # "/dev" (e.g. tty1 or vc/1)
51 #
52 ##############################################################################
53 #
54 # Disallow non-root logins on tty1
55 #
56 #-:ALL EXCEPT root:tty1
57 #
58 # Disallow console logins to all but a few accounts.
59 #
60 #-:ALL EXCEPT wheel shutdown sync:LOCAL
61 #
62 # Same, but make sure that really the group wheel and not the user
63 # wheel is used (use nodefgroup argument, too):
64 #
65 #-:ALL EXCEPT (wheel) shutdown sync:LOCAL
66 #
67 # Disallow non-local logins to privileged accounts (group wheel).
68 #
69 #-:wheel:ALL EXCEPT LOCAL .win.tue.nl
70 #
71 # Some accounts are not allowed to login from anywhere:
72 #
73 #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
74 #
75 # All other accounts are allowed to login from anywhere.
76 #
77 ##############################################################################
78 # All lines from here up to the end are building a more complex example.
79 ##############################################################################
80 #
81 # User "root" should be allowed to get access via cron .. tty5 tty6.
82 #+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
83 #
84 # User "root" should be allowed to get access from hosts with ip addresses.
85 #+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
86 #+ : root : 127.0.0.1
87 #
88 # User "root" should get access from network 192.168.201.
89 # This term will be evaluated by string matching.
90 # comment: It might be better to use network/netmask instead.
91 # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
92 #+ : root : 192.168.201.
93 #
94 # User "root" should be able to have access from domain.
95 # Uses string matching also.
96 #+ : root : .foo.bar.org
97 #
98 # User "root" should be denied to get access from all other sources.
99 #- : root : ALL
100 #
101 # User "foo" and members of netgroup "nis_group" should be
102 # allowed to get access from all sources.
103 # This will only work if netgroup service is available.
104 #+ : @nis_group foo : ALL
105 #
106 # User "john" should get access from ipv4 net/mask
107 #+ : john : 127.0.0.0/24
108 #
109 # User "john" should get access from ipv4 as ipv6 net/mask
110 #+ : john : ::ffff:127.0.0.0/127
111 #
112 # User "john" should get access from ipv6 host address
113 #+ : john : 2001:4ca0:0:101::1
114 #
115 # User "john" should get access from ipv6 host address (same as above)
116 #+ : john : 2001:4ca0:0:101:0:0:0:1
117 #
118 # User "john" should get access from ipv6 net/mask
119 #+ : john : 2001:4ca0:0:101::/64
120 #
121 # All other users should be denied to get access from all sources.
122
123 +:root:LOCAL
124 +:@rhel-app-wirefeed:ALL
125 -:ALL:ALL
augtool> print /augeas//error
/augeas/files/etc/puppet/puppet.conf/error = "parse_failed"
/augeas/files/etc/puppet/puppet.conf/error/pos = "0"
/augeas/files/etc/puppet/puppet.conf/error/line = "1"
/augeas/files/etc/puppet/puppet.conf/error/char = "0"
/augeas/files/etc/puppet/puppet.conf/error/lens = "/usr/share/augeas/lenses/dist/inifile.aug:309.25-.43:"
/augeas/files/etc/puppet/puppet.conf/error/message = "Get did not match entire input"
/augeas/files/etc/passwd/error = "parse_failed"
/augeas/files/etc/passwd/error/pos = "1872"
/augeas/files/etc/passwd/error/line = "38"
/augeas/files/etc/passwd/error/char = "0"
/augeas/files/etc/passwd/error/lens = "/usr/share/augeas/lenses/dist/passwd.aug:64.17-.60:"
/augeas/files/etc/passwd/error/message = "Iterated lens matched less than it should"
/augeas/files/etc/security/access.conf/error = "parse_failed"
/augeas/files/etc/security/access.conf/error/pos = "4606"
/augeas/files/etc/security/access.conf/error/line = "123"
/augeas/files/etc/security/access.conf/error/char = "0"
/augeas/files/etc/security/access.conf/error/lens = "/usr/share/augeas/lenses/dist/access.aug:105.16-.39:"
/augeas/files/etc/security/access.conf/error/message = "Iterated lens matched less than it should"
/augeas/files/etc/nsswitch.conf/error = "parse_failed"
/augeas/files/etc/nsswitch.conf/error/pos = "1077"
/augeas/files/etc/nsswitch.conf/error/line = "35"
/augeas/files/etc/nsswitch.conf/error/char = "0"
/augeas/files/etc/nsswitch.conf/error/lens = "/usr/share/augeas/lenses/dist/nsswitch.aug:88.10-.41:"
/augeas/files/etc/nsswitch.conf/error/message = "Iterated lens matched less than it should"
[root@linux999 ~]# cat /usr/share/augeas/lenses/dist/access.aug
(*
Module: Access
Parses /etc/security/access.conf
Author: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
About: Reference
Some examples of valid entries can be found in access.conf or "man access.conf"
About: License
This file is licensed under the LGPLv2+, like the rest of Augeas.
About: Lens Usage
Sample usage of this lens in augtool
* Add a rule to permit login of all users from local sources (tty's, X, cron)
> set /files/etc/security/access.conf[0] +
> set /files/etc/security/access.conf[0]/user ALL
> set /files/etc/security/access.conf[0]/origin LOCAL
About: Configuration files
This lens applies to /etc/security/access.conf. See <filter>.
*)
module Access =
autoload xfm
(* Group: Comments and empty lines *)
(* Variable: comment *)
let comment = Util.comment
(* Variable: empty line *)
let empty = Util.empty
(* Group: Useful primitives *)
(* Variable: colon
* this is the standard field separator " : "
*)
let colon = Sep.space . Sep.colon . Sep.space
(************************************************************************
* Group: ENTRY LINE
*************************************************************************)
(* View: access
* Allow (+) or deny (-) access
*)
let access = label "access" . store /[+-]/
(* View: user_re
* Regex for user/netgroup fields
*)
let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/
(* View: user
* user can be a username or a group
*)
let user = [ label "user" . store user_re ]
(* View: netgroup
* Format is @NETGROUP[@@NISDOMAIN]
*)
let netgroup =
[ label "netgroup" . Util.del_str "@" . store user_re
. [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
(* View: user_list
* A list of users or netgroups to apply the rule to
*)
let user_list = Build.opt_list (user|netgroup) Sep.space
(* View: origin_list
* origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
*)
let origin_list =
let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/
in Build.opt_list [ label "origin" . store origin_re ] Sep.space
(* View: except
* The except operator makes it possible to write very compact rules.
*)
let except (lns:lens) = [ label "except" . Sep.space
. del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT"
. Sep.space . lns ]
(* View: entry
* A valid entry line
* Definition:
* > entry ::= access ':' user ':' origin_list
*)
let entry = [ access . colon
. user_list
. (except user_list)?
. colon
. origin_list
. (except origin_list)?
. Util.eol ]
(************************************************************************
* Group: LENS & FILTER
*************************************************************************)
(* View: lns
The access.conf lens, any amount of
* <empty> lines
* <comments>
* <entry>
*)
let lns = (comment|empty|entry) *
(* Variable: filter *)
let filter = incl "/etc/security/access.conf"
let xfm = transform lns filter
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.