Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Access control on aix, a la pam_access

Access control on aix, a la pam_access

Access control on aix, a la pam_access

Access control on hpux, linux is controled easily by pam_access. AIX doesn't seem to have pam_access, how do you do it? I wish a defined group can ssh to a server (from a defined IPs) but not other group....


Just want to control ssh, not other TCP connection type, so TCP Wrappers is out of question.

Any ideas?


RE: Access control on aix, a la pam_access

Hi Tuan,
I did the configuration a long time ago, and let me tell you, its a pain in the neck. I roughly remember the below

edit the pam.conf file in /etc
# vi /etc/pam.conf
go to 'Authentication' and add
sshd auth required pam_prohibit /var/adm/users
It means that for the user list (/var/adm/users) block the ssh access to the host.
in /var/adm/users manually add users to block their access.

Now vi /etc/ssh/sshd_config and go to
# UsePAM --> change it to yes
# stopsrc -s sshd
# startsrc -s sshd

I hope this helps.

Sr. Systems Engineer

RE: Access control on aix, a la pam_access


Thanks for your direction, I setup as your description, but then I can't login no matter if there is anything or not in the file /var/adm/users. In syslog there is this error

auth|security:err|error sshd: PAM: pam_prohibit authenticate: illegal option /var/adm/users

I try google and "man" for AIX pam_*, but could not find any thing except aaccount control for ftp login (/etc/ftpuser).


any ideas?

Best Regards

RE: Access control on aix, a la pam_access

Thanks chgwhat

As I wrote in my question, no TCP Wrappers please.

And I also know this link "...developerworks/aix/library/au-sshlocks", it is just a general speaks not specific for AIX, but linux.

Our ssh uses pam with the following at /etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome

IBM, please do adapt pam_access to AIX.

Any ideas?

RE: Access control on aix, a la pam_access

....I got a hint from it.toolbox

Hi Dan,

at last after many hours....og my God it works.....Thanks to all of you and IBM...

Sorry, it was first yesterday when I rerereread the thread and your answer "The file to use for the control list is configured using a module option and defaults to /etc/ftpusers..", it was the word "default" which gives me the hint.

ok the pam_permission library is not only for ftp but also for other tools..... Now it is very easy to control the users/groups who can ssh to the server (I don't want to "touch" any other protocol (apache, oracle, postfix..), I believe it requires more attention/test/work when using tcp-wrapper. http://www.ibm.com/developerworks/aix/library/au-t...)

The solution is below:

lssec -f /etc/security/login.cfg -s usw -a auth_type
chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH

sshd auth required /usr/lib/security/pam_aix
sshd auth requisite /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome

/etc/security/access.conf #I called it access.conf just like on linux
+@network # the group network has ssh access to the server

chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP" (compat not work for ldap login!!)
chsec -f /etc/security/user -s default -a "registry=LDAP" (compat not work for ldap)

Because of the "registry=LDAP" above, you need to do the following for enable local user login:
chsec -f /etc/security/user -s default -a "registry=files"
chuser registry=files <USER>
enable LDAP again:
chsec -f /etc/security/user -s default -a "registry=LDAP"

lsuser <USER>
lsldap -a passwd

Thanks again

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close