Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access control on aix, a la pam_access

Status
Not open for further replies.
van12

van12

Technical User
Joined
Nov 17, 2012
Messages
6
Location
DK
Access control on hpux, linux is controled easily by pam_access. AIX doesn't seem to have pam_access, how do you do it? I wish a defined group can ssh to a server (from a defined IPs) but not other group....


Just want to control ssh, not other TCP connection type, so TCP Wrappers is out of question.

Any ideas?

Tuan
 
Sort by date Sort by votes
Hi Tuan,
I did the configuration a long time ago, and let me tell you, its a pain in the neck. I roughly remember the below

edit the pam.conf file in /etc
# vi /etc/pam.conf
go to 'Authentication' and add
sshd auth required pam_prohibit /var/adm/users
It means that for the user list (/var/adm/users) block the ssh access to the host.
in /var/adm/users manually add users to block their access.

Now vi /etc/ssh/sshd_config and go to
# UsePAM --> change it to yes
# stopsrc -s sshd
# startsrc -s sshd


I hope this helps.

SARFARAZ AHMED SYED,
Sr. Systems Engineer
 
Upvote 0 Downvote
hi SARFARAZ

Thanks for your direction, I setup as your description, but then I can't login no matter if there is anything or not in the file /var/adm/users. In syslog there is this error

auth|security:err|error sshd: PAM: pam_prohibit authenticate: illegal option /var/adm/users

I try google and "man" for AIX pam_*, but could not find any thing except aaccount control for ftp login (/etc/ftpuser).


any ideas?

Best Regards
Tuan
 
Upvote 0 Downvote
Thanks chgwhat

As I wrote in my question, no TCP Wrappers please.

And I also know this link "...developerworks/aix/library/au-sshlocks", it is just a general speaks not specific for AIX, but linux.

Our ssh uses pam with the following at /etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome

IBM, please do adapt pam_access to AIX.

Any ideas?
Tuan
 
Upvote 0 Downvote
....I got a hint from it.toolbox

Hi Dan,

at last after many hours....og my God it works.....Thanks to all of you and IBM...

Sorry, it was first yesterday when I rerereread the thread and your answer "The file to use for the control list is configured using a module option and defaults to /etc/ftpusers..", it was the word "default" which gives me the hint.

ok the pam_permission library is not only for ftp but also for other tools..... Now it is very easy to control the users/groups who can ssh to the server (I don't want to "touch" any other protocol (apache, oracle, postfix..), I believe it requires more attention/test/work when using tcp-wrapper.
The solution is below:


lssec -f /etc/security/login.cfg -s usw -a auth_type
chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH

/etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd auth requisite /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome

/etc/security/access.conf #I called it access.conf just like on linux
+@network # the group network has ssh access to the server
+@LDAP_NOC_UNIXTEK
+john
-ALL


chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP" (compat not work for ldap login!!)
chsec -f /etc/security/user -s default -a "registry=LDAP" (compat not work for ldap)

Because of the "registry=LDAP" above, you need to do the following for enable local user login:
chsec -f /etc/security/user -s default -a "registry=files"
chuser registry=files <USER>
enable LDAP again:
chsec -f /etc/security/user -s default -a "registry=LDAP"

Test:
lsuser <USER>
lsldap -a passwd

Thanks again
Tuan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

E
  • Locked
  • Question Question
AIX Power5 on 5.3- On varyonvg error "cannot be varied on because no good copies of the descriptor area"
Replies
1
Views
840
JenLM
J
A
  • Locked
  • Question Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
804
Alvinghost
A
jkc2023
  • Locked
  • Question Question
AIX TL and SP upgrade
Replies
0
Views
941
jkc2023
jkc2023
HariharanER
  • Locked
  • Question Question
Current versions are used in AIX
Replies
0
Views
697
HariharanER
HariharanER
sheilar32
  • Locked
  • Question Question
Migrating from AIX to anything else
Replies
0
Views
714
sheilar32
sheilar32

Part and Inventory Search

Sponsor

Back
Top