pam_listfile not working like on RHEL5/6

Support for security such as Firewalls and securing linux
Post Reply
l8gravely
Posts: 3
Joined: 2018/01/31 14:49:52

pam_listfile not working like on RHEL5/6

Post by l8gravely » 2018/01/31 17:11:15

Hi,
I'm trying to lock down some new CentOS 7.4 systems using the same pam_listfile.so setup I've used in RHEL5/6 systems for years, but it's not working. I have the following setup, where I created a system-auth-local file in /etc/pam.d with the entries from system-auth-ac, plus my lines:

lrwxrwxrwx 1 root root 17 Jan 31 06:05 system-auth -> system-auth-local
-rw-r--r-- 1 root root 1214 Jan 31 07:06 system-auth-local

my pam package version is pam-1.1.8-18.el7.x86_64

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so

# Check user is allowed access, bail if not in access list.
auth        required      /usr/lib64/security/pam_listfile.so item=user sense=allow file=/etc/users.allow onerr=fail

auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
but it doesn't stop me from logging in when I remove my username from the /etc/users.allow file. I've even tried putting the following at the end of the /etc/pam.d/sshd config file:

Code: Select all

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
auth  required  /usr/lib64/security/pam_listfile.so item=user sense=allow file=/etc/users.allow onerr=fail
without any effect. All the RHEL/CentOS docs I've found say this is how to do it, and it's worked on older versions without problems. Looking in /var/log/audit/audit.log I don't see any real details on why pam is letting me into the system still. It should be locking me out. I see stuff like this:

type=CRED_ACQ msg=audit(1517413145.303:206): pid=4173 uid=0 auid=61255 ses=8 msg='op=PAM:setcred grantors=pam_listfile,pam_env,pam_unix acct="testuser" exe="/usr/sbin/sshd" hostname=192.168.139.81 addr=192.168.139.81 terminal=ssh res=success'


What am I missing here?

John

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: pam_listfile not working like on RHEL5/6

Post by TrevorH » 2018/01/31 17:16:29

What sort of logins are you hoping to restrict with this?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

l8gravely
Posts: 3
Joined: 2018/01/31 14:49:52

Re: pam_listfile not working like on RHEL5/6

Post by l8gravely » 2018/01/31 20:42:55

I'm trying to restrict SSH logins mostly. We used to offer rlogin/rsh/telnet but I've managed to kill them off mostly. Can you say legacy environment?

Basically these hosts are *mostly* compute nodes, which should only be accessed vai the job scheduling tool, not via random SSH logins by users.

Admins and scheduling user need full access via SSH, which is why I'm working to migrate my RHEL6.6 kickstart environment upto CentOS7.4 for new builds.

l8gravely
Posts: 3
Joined: 2018/01/31 14:49:52

Re: pam_listfile not working like on RHEL5/6

Post by l8gravely » 2018/01/31 20:58:42

Argh!!! I've just figured out that using pam_listfiles will block users when they have to enter a password, but will NOT block users when they are using an ssh key in authorized_hosts for some insane reason. Dammit... I hate PAM and how frustrating it is to debug and trace what needs to be done.

Post Reply