I'm trying to lock down some new CentOS 7.4 systems using the same pam_listfile.so setup I've used in RHEL5/6 systems for years, but it's not working. I have the following setup, where I created a system-auth-local file in /etc/pam.d with the entries from system-auth-ac, plus my lines:
lrwxrwxrwx 1 root root 17 Jan 31 06:05 system-auth -> system-auth-local
-rw-r--r-- 1 root root 1214 Jan 31 07:06 system-auth-local
my pam package version is pam-1.1.8-18.el7.x86_64
Code: Select all
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# Check user is allowed access, bail if not in access list.
auth required /usr/lib64/security/pam_listfile.so item=user sense=allow file=/etc/users.allow onerr=fail
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Code: Select all
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
auth required /usr/lib64/security/pam_listfile.so item=user sense=allow file=/etc/users.allow onerr=fail
type=CRED_ACQ msg=audit(1517413145.303:206): pid=4173 uid=0 auid=61255 ses=8 msg='op=PAM:setcred grantors=pam_listfile,pam_env,pam_unix acct="testuser" exe="/usr/sbin/sshd" hostname=192.168.139.81 addr=192.168.139.81 terminal=ssh res=success'
What am I missing here?
John