Access control on aix, a la pam_access
Access control on aix, a la pam_access
(OP)
Access control on hpux, linux is controled easily by pam_access. AIX doesn't seem to have pam_access, how do you do it? I wish a defined group can ssh to a server (from a defined IPs) but not other group....
http://linux.die.net/man/8/pam_access
Just want to control ssh, not other TCP connection type, so TCP Wrappers is out of question.
Any ideas?
Tuan
http://linux.die.net/man/8/pam_access
Just want to control ssh, not other TCP connection type, so TCP Wrappers is out of question.
Any ideas?
Tuan
RE: Access control on aix, a la pam_access
I did the configuration a long time ago, and let me tell you, its a pain in the neck. I roughly remember the below
edit the pam.conf file in /etc
# vi /etc/pam.conf
go to 'Authentication' and add
sshd auth required pam_prohibit /var/adm/users
It means that for the user list (/var/adm/users) block the ssh access to the host.
in /var/adm/users manually add users to block their access.
Now vi /etc/ssh/sshd_config and go to
# UsePAM --> change it to yes
# stopsrc -s sshd
# startsrc -s sshd
I hope this helps.
SARFARAZ AHMED SYED,
Sr. Systems Engineer
RE: Access control on aix, a la pam_access
Thanks for your direction, I setup as your description, but then I can't login no matter if there is anything or not in the file /var/adm/users. In syslog there is this error
auth|security:err|error sshd: PAM: pam_prohibit authenticate: illegal option /var/adm/users
I try google and "man" for AIX pam_*, but could not find any thing except aaccount control for ftp login (/etc/ftpuser).
http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.j...
any ideas?
Best Regards
Tuan
RE: Access control on aix, a la pam_access
Tony ... aka chgwhat
When in doubt,,, Power out...
RE: Access control on aix, a la pam_access
As I wrote in my question, no TCP Wrappers please.
And I also know this link "...developerworks/aix/library/au-sshlocks", it is just a general speaks not specific for AIX, but linux.
Our ssh uses pam with the following at /etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome
IBM, please do adapt pam_access to AIX.
Any ideas?
Tuan
RE: Access control on aix, a la pam_access
Hi Dan,
at last after many hours....og my God it works.....Thanks to all of you and IBM...
Sorry, it was first yesterday when I rerereread the thread and your answer "The file to use for the control list is configured using a module option and defaults to /etc/ftpusers..", it was the word "default" which gives me the hint.
ok the pam_permission library is not only for ftp but also for other tools..... Now it is very easy to control the users/groups who can ssh to the server (I don't want to "touch" any other protocol (apache, oracle, postfix..), I believe it requires more attention/test/work when using tcp-wrapper. http://www.ibm.com/developerworks/aix/library/au-t...)
The solution is below:
lssec -f /etc/security/login.cfg -s usw -a auth_type
chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
/etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd auth requisite /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome
/etc/security/access.conf #I called it access.conf just like on linux
+@network # the group network has ssh access to the server
+@LDAP_NOC_UNIXTEK
+john
-ALL
chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP" (compat not work for ldap login!!)
chsec -f /etc/security/user -s default -a "registry=LDAP" (compat not work for ldap)
Because of the "registry=LDAP" above, you need to do the following for enable local user login:
chsec -f /etc/security/user -s default -a "registry=files"
chuser registry=files <USER>
enable LDAP again:
chsec -f /etc/security/user -s default -a "registry=LDAP"
Test:
lsuser <USER>
lsldap -a passwd
Thanks again
Tuan