Access.conf and augeas
Issue
Over the last year I worked with RedHat to find a solution on how to limit user logins to a server in RHEL 6 via LDAP. RedHat recommended to add the following to the /etc/security/access.conf file; this solution works well. I have used the augtool to look at the /etc/security/access.conf file and augtool is complaining about the syntax that was added to restrict logins. Does the augtool lens for access.conf need to be updated???? I have included the access.conf, the augtool output and the augeas access.conf lens. Thank-you
+:root:LOCAL
+:@rhel-app-wirefeed:ALL
-:ALL:ALL
# cat -n /etc/security/access.conf
1 # Login access control table.
2 #
3 # Comment line must start with "#", no space at front.
4 # Order of lines is important.
5 #
6 # When someone logs in, the table is scanned for the first entry that
7 # matches the (user, host) combination, or, in case of non-networked
8 # logins, the first entry that matches the (user, tty) combination. The
9 # permissions field of that table entry determines whether the login will
10 # be accepted or refused.
11 #
12 # Format of the login access control table is three fields separated by a
13 # ":" character:
14 #
15 # [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
16 # module, you can change the field separation character to be
17 # '|'. This is useful for configurations where you are trying to use
18 # pam_access with X applications that provide PAM_TTY values that are
19 # the display variable like "host:0".]
20 #
21 # permission : users : origins
22 #
23 # The first field should be a "+" (access granted) or "-" (access denied)
24 # character.
25 #
26 # The second field should be a list of one or more login names, group
27 # names, or ALL (always matches). A pattern of the form user@host is
28 # matched when the login name matches the "user" part, and when the
29 # "host" part matches the local machine name.
30 #
31 # The third field should be a list of one or more tty names (for
32 # non-networked logins), host names, domain names (begin with "."), host
33 # addresses, internet network numbers (end with "."), ALL (always
34 # matches), NONE (matches no tty on non-networked logins) or
35 # LOCAL (matches any string that does not contain a "." character).
36 #
37 # You can use @netgroupname in host or user patterns; this even works
38 # for @usergroup@@hostgroup patterns.
39 #
40 # The EXCEPT operator makes it possible to write very compact rules.
41 #
42 # The group file is searched only when a name does not match that of the
43 # logged-in user. Both the user's primary group is matched, as well as
44 # groups in which users are explicitly listed.
45 # To avoid problems with accounts, which have the same name as a group,
46 # you can use brackets around group names '(group)' to differentiate.
47 # In this case, you should also set the "nodefgroup" option.
48 #
49 # TTY NAMES: Must be in the form returned by ttyname(3) less the initial
50 # "/dev" (e.g. tty1 or vc/1)
51 #
52 ##############################################################################
53 #
54 # Disallow non-root logins on tty1
55 #
56 #-:ALL EXCEPT root:tty1
57 #
58 # Disallow console logins to all but a few accounts.
59 #
60 #-:ALL EXCEPT wheel shutdown sync:LOCAL
61 #
62 # Same, but make sure that really the group wheel and not the user
63 # wheel is used (use nodefgroup argument, too):
64 #
65 #-:ALL EXCEPT (wheel) shutdown sync:LOCAL
66 #
67 # Disallow non-local logins to privileged accounts (group wheel).
68 #
69 #-:wheel:ALL EXCEPT LOCAL .win.tue.nl
70 #
71 # Some accounts are not allowed to login from anywhere:
72 #
73 #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
74 #
75 # All other accounts are allowed to login from anywhere.
76 #
77 ##############################################################################
78 # All lines from here up to the end are building a more complex example.
79 ##############################################################################
80 #
81 # User "root" should be allowed to get access via cron .. tty5 tty6.
82 #+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
83 #
84 # User "root" should be allowed to get access from hosts with ip addresses.
85 #+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
86 #+ : root : 127.0.0.1
87 #
88 # User "root" should get access from network 192.168.201.
89 # This term will be evaluated by string matching.
90 # comment: It might be better to use network/netmask instead.
91 # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
92 #+ : root : 192.168.201.
93 #
94 # User "root" should be able to have access from domain.
95 # Uses string matching also.
96 #+ : root : .foo.bar.org
97 #
98 # User "root" should be denied to get access from all other sources.
99 #- : root : ALL
100 #
101 # User "foo" and members of netgroup "nis_group" should be
102 # allowed to get access from all sources.
103 # This will only work if netgroup service is available.
104 #+ : @nis_group foo : ALL
105 #
106 # User "john" should get access from ipv4 net/mask
107 #+ : john : 127.0.0.0/24
108 #
109 # User "john" should get access from ipv4 as ipv6 net/mask
110 #+ : john : ::ffff:127.0.0.0/127
111 #
112 # User "john" should get access from ipv6 host address
113 #+ : john : 2001:4ca0:0:101::1
114 #
115 # User "john" should get access from ipv6 host address (same as above)
116 #+ : john : 2001:4ca0:0:101:0:0:0:1
117 #
118 # User "john" should get access from ipv6 net/mask
119 #+ : john : 2001:4ca0:0:101::/64
120 #
121 # All other users should be denied to get access from all sources.
122
123 +:root:LOCAL
124 +:@rhel-app-wirefeed:ALL
125 -:ALL:ALL
augtool> print /augeas//error
/augeas/files/etc/puppet/puppet.conf/error = "parse_failed"
/augeas/files/etc/puppet/puppet.conf/error/pos = "0"
/augeas/files/etc/puppet/puppet.conf/error/line = "1"
/augeas/files/etc/puppet/puppet.conf/error/char = "0"
/augeas/files/etc/puppet/puppet.conf/error/lens = "/usr/share/augeas/lenses/dist/inifile.aug:309.25-.43:"
/augeas/files/etc/puppet/puppet.conf/error/message = "Get did not match entire input"
/augeas/files/etc/passwd/error = "parse_failed"
/augeas/files/etc/passwd/error/pos = "1872"
/augeas/files/etc/passwd/error/line = "38"
/augeas/files/etc/passwd/error/char = "0"
/augeas/files/etc/passwd/error/lens = "/usr/share/augeas/lenses/dist/passwd.aug:64.17-.60:"
/augeas/files/etc/passwd/error/message = "Iterated lens matched less than it should"
/augeas/files/etc/security/access.conf/error = "parse_failed"
/augeas/files/etc/security/access.conf/error/pos = "4606"
/augeas/files/etc/security/access.conf/error/line = "123"
/augeas/files/etc/security/access.conf/error/char = "0"
/augeas/files/etc/security/access.conf/error/lens = "/usr/share/augeas/lenses/dist/access.aug:105.16-.39:"
/augeas/files/etc/security/access.conf/error/message = "Iterated lens matched less than it should"
/augeas/files/etc/nsswitch.conf/error = "parse_failed"
/augeas/files/etc/nsswitch.conf/error/pos = "1077"
/augeas/files/etc/nsswitch.conf/error/line = "35"
/augeas/files/etc/nsswitch.conf/error/char = "0"
/augeas/files/etc/nsswitch.conf/error/lens = "/usr/share/augeas/lenses/dist/nsswitch.aug:88.10-.41:"
/augeas/files/etc/nsswitch.conf/error/message = "Iterated lens matched less than it should"
[root@linux999 ~]# cat /usr/share/augeas/lenses/dist/access.aug
(*
Module: Access
Parses /etc/security/access.conf
Author: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
About: Reference
Some examples of valid entries can be found in access.conf or "man access.conf"
About: License
This file is licensed under the LGPLv2+, like the rest of Augeas.
About: Lens Usage
Sample usage of this lens in augtool
* Add a rule to permit login of all users from local sources (tty's, X, cron)
> set /files/etc/security/access.conf[0] +
> set /files/etc/security/access.conf[0]/user ALL
> set /files/etc/security/access.conf[0]/origin LOCAL
About: Configuration files
This lens applies to /etc/security/access.conf. See <filter>.
*)
module Access =
autoload xfm
(* Group: Comments and empty lines *)
(* Variable: comment *)
let comment = Util.comment
(* Variable: empty line *)
let empty = Util.empty
(* Group: Useful primitives *)
(* Variable: colon
* this is the standard field separator " : "
*)
let colon = Sep.space . Sep.colon . Sep.space
(************************************************************************
* Group: ENTRY LINE
*************************************************************************)
(* View: access
* Allow (+) or deny (-) access
*)
let access = label "access" . store /[+-]/
(* View: user_re
* Regex for user/netgroup fields
*)
let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/
(* View: user
* user can be a username or a group
*)
let user = [ label "user" . store user_re ]
(* View: netgroup
* Format is @NETGROUP[@@NISDOMAIN]
*)
let netgroup =
[ label "netgroup" . Util.del_str "@" . store user_re
. [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
(* View: user_list
* A list of users or netgroups to apply the rule to
*)
let user_list = Build.opt_list (user|netgroup) Sep.space
(* View: origin_list
* origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
*)
let origin_list =
let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/
in Build.opt_list [ label "origin" . store origin_re ] Sep.space
(* View: except
* The except operator makes it possible to write very compact rules.
*)
let except (lns:lens) = [ label "except" . Sep.space
. del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT"
. Sep.space . lns ]
(* View: entry
* A valid entry line
* Definition:
* > entry ::= access ':' user ':' origin_list
*)
let entry = [ access . colon
. user_list
. (except user_list)?
. colon
. origin_list
. (except origin_list)?
. Util.eol ]
(************************************************************************
* Group: LENS & FILTER
*************************************************************************)
(* View: lns
The access.conf lens, any amount of
* <empty> lines
* <comments>
* <entry>
*)
let lns = (comment|empty|entry) *
(* Variable: filter *)
let filter = incl "/etc/security/access.conf"
let xfm = transform lns filter
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
