Allow/Deny system logins to specific groups using PAM module

PAM (Pluggable Authentication Modules) gives a layer in the middle of applications and the actual authentication system. PAM is a library of loadable modules called by applications which are used for security prerequisites as a part of every application. There are two approaches to allow and restrict system login to particular user group only. The least difficult technique is to use a PAM module called pam_listfile.so. Securing system login access is important task on the off chance that you require a protected system.
Linux Group Pam Module

pam_listfile is a PAM module which gives an approach to allow or deny access to services based on an arbitrary file.

In this article you would like to allow login to only members of wheel and techgroup groups.

Step #1 Create Group Login file

This file contains one line for every group listed. On the off chance that the group name is found, then logging is permitted; else approval request denied:

# vim /etc/group.login.allowed

Now add group names:

wheel
techdev

Step #2 Allow group based login using PAM

Now add following entry in PAM file:
For CentOS/RHEL

# vim /etc/pam.d/system-auth

For Ubuntu

# vim /etc/pam.d/common-auth

You must add the following config at the top of the file:

auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed

Note:

auth required pam_listfile.so: Pam module name required for allowing group based login
onerr=fail: What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
item=group: Check for group name
sense=allow: The authorization request to succeed if group name
file=/etc/group.login.allowed: Filename contains one line per group name listed.

Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services.

The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).

Enjoy it!