Allow/Deny logins via ssh server using PAM module

Share It!

PAM, or Pluggable Authentication Modules, is a deliberation layer that exists on Linux and Unix-like operating system used to empower verification between a variety of services. PAM (Pluggable confirmation modules) permits you to characterize adaptable flexible for verifying users. However, in the event that you need to block or deny a large number from securing users, use PAM configuration.
Linux SSH Pam Module

See Also:

  • Allow/Deny system logins to specific groups using PAM module
  • The thought is extremely straightforward you need to limit who can use sshd based on a list of users. The text file contains a list of users that may not sign in (or allow to sign in) using the SSH server. This is used for enhancing security.

    This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

    Allow Specific Users

    Follow below steps to allow any specific user:
    Step #1 Add User Name in File
    If you want to allow any specific users who can access via ssh then create a file and add the name of the user in that file.

    # vim /etc/ssh/ssh.allow
    

    Add user name:

    technical
    

    Step #2 Add Rule in PAM
    Now open PAM authencation file and append following line:

    # vi /etc/pam.d/ssh
    

    Append following line:

    auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail
    

    Step #3 Restart Service
    Now restart ssh service using following command:
    For CentOS/RHEL 7

    # systemctl restart sshd
    

    For CentOS/RHEL 6 & 5

    # /etc/init.d/sshd restart
    

    Step #4 Check Log File
    Now check log file:

    Feb 17 20:13:42 techoism sshd[1637]: Accepted password for technical from 192.168.0.104 port 58124 ssh2
    Feb 17 20:13:42 techoism sshd[1637]: pam_unix(sshd:session): session opened for user technical by (uid=0)
    Feb 17 20:07:54 techoism sshd[1532]: pam_listfile(sshd:auth): Refused user support for service sshd
    Feb 17 20:07:55 techoism sshd[1532]: Failed password for support from 192.168.0.104 port 58111 ssh2
    

    Understanding the config parameters:
    auth required pam_listfile.so: Name of module required while authenticating users.
    item=user: Check or specify the username
    sense=allow: Allow user if existing in specified file
    file=/etc/sshd/sshd.allow: Name of file which contains the list of user (one user per line)
    onerr=fail: If filename does not exists or username formatting is not coreect it will not allow to login.

    Deny Specific Users

    Follow below steps to deny any specific user:
    Step #1 Add User Name in File
    If you want to allow any specific users who can access via ssh then create a file and add the name of the user in that file.

    # vim /etc/ssh/ssh.deny
    

    Add user name:

    technical
    

    Step #2 Add Rule in PAM
    Now open PAM authencation file and append following line:

    # vi /etc/pam.d/ssh
    

    Append following line:

    auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh.deny onerr=succeed
    

    Step #3 Restart Service
    Now restart ssh service using following command:
    For CentOS/RHEL 7

    # systemctl restart sshd
    

    For CentOS/RHEL 6 & 5

    # /etc/init.d/sshd restart
    

    Step #4 Check Log File
    Now check log file:

    Feb 17 20:36:04 techoism sshd[1690]: pam_listfile(sshd:auth): Refused user technical for service sshd
    Feb 17 20:36:06 techoism sshd[1690]: Failed password for technical from 192.168.0.104 port 58226 ssh2
    Feb 17 20:36:15 techoism sshd[1692]: Accepted password for support from 192.168.0.104 port 58227 ssh2
    Feb 17 20:36:15 techoism sshd[1692]: pam_unix(sshd:session): session opened for user support by (uid=0)
    

    Understanding the config parameters:

    auth required pam_listfile.so: Name of module required while authenticating users.
    item=user: Check the username
    sense=deny: Deny user if existing in specified file
    file=/etc/sshd/sshd.deny: Name of file which contains the list of user
    onerr=succeed: If an error is encountered PAM will return status PAM_SUCCESS.

    Enjoy it!

    Leave a Reply

    Your email address will not be published.