Access control on aix, a la pam_access

[van12]

Access control on hpux, linux is controled easily by pam_access. AIX doesn't seem to have pam_access, how do you do it? I wish a defined group can ssh to a server (from a defined IPs) but not other group....

http://linux.die.net/man/8/pam_access

Just want to control ssh, not other TCP connection type, so TCP Wrappers is out of question.

Any ideas?

Tuan

 

[AIXLogician]

Hi Tuan,
I did the configuration a long time ago, and let me tell you, its a pain in the neck. I roughly remember the below

edit the pam.conf file in /etc
# vi /etc/pam.conf
go to 'Authentication' and add
sshd auth required pam_prohibit /var/adm/users
It means that for the user list (/var/adm/users) block the ssh access to the host.
in /var/adm/users manually add users to block their access.

Now vi /etc/ssh/sshd_config and go to
# UsePAM --> change it to yes
# stopsrc -s sshd
# startsrc -s sshd


I hope this helps.

SARFARAZ AHMED SYED,
Sr. Systems Engineer

 

[van12]

hi SARFARAZ

Thanks for your direction, I setup as your description, but then I can't login no matter if there is anything or not in the file /var/adm/users. In syslog there is this error

auth|security:err|error sshd: PAM: pam_prohibit authenticate: illegal option /var/adm/users

I try google and "man" for AIX pam_*, but could not find any thing except aaccount control for ftp login (/etc/ftpuser).

http://pic.dhe.ibm.com/infocenter/a...m.ibm.aix.files/doc/aixfiles/pam_prohibit.htm

any ideas?

Best Regards
Tuan

 

[chgwhat]

Have you looked at

http://www.ibm.com/developerworks/aix/library/au-ssh_restrict/index.html

this may provide the access restrictions you need.

Tony ... aka chgwhat

When in doubt,,, Power out...

 

[van12]

Thanks chgwhat

As I wrote in my question, no TCP Wrappers please.

And I also know this link "...developerworks/aix/library/au-sshlocks", it is just a general speaks not specific for AIX, but linux.

Our ssh uses pam with the following at /etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome

IBM, please do adapt pam_access to AIX.

Any ideas?
Tuan

 

[van12]

....I got a hint from it.toolbox

Hi Dan,

at last after many hours....og my God it works.....Thanks to all of you and IBM...

Sorry, it was first yesterday when I rerereread the thread and your answer "The file to use for the control list is configured using a module option and defaults to /etc/ftpusers..", it was the word "default" which gives me the hint.

ok the pam_permission library is not only for ftp but also for other tools..... Now it is very easy to control the users/groups who can ssh to the server (I don't want to "touch" any other protocol (apache, oracle, postfix..), I believe it requires more attention/test/work when using tcp-wrapper.

http://www.ibm.com/developerworks/aix/library/au-tcpwrapper/index.html)

The solution is below:


lssec -f /etc/security/login.cfg -s usw -a auth_type
chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH

/etc/pam.conf
sshd auth required /usr/lib/security/pam_aix
sshd auth requisite /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
sshd session optional /usr/lib/security/pam_mkuserhome

/etc/security/access.conf #I called it access.conf just like on linux
+@network # the group network has ssh access to the server
+@LDAP_NOC_UNIXTEK
+john
-ALL


chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP" (compat not work for ldap login!!)
chsec -f /etc/security/user -s default -a "registry=LDAP" (compat not work for ldap)

Because of the "registry=LDAP" above, you need to do the following for enable local user login:
chsec -f /etc/security/user -s default -a "registry=files"
chuser registry=files <USER>
enable LDAP again:
chsec -f /etc/security/user -s default -a "registry=LDAP"

Test:
lsuser <USER>
lsldap -a passwd

Thanks again
Tuan