Allow/Deny logins via ssh server using PAM module
PAM, or Pluggable Authentication Modules, is a deliberation layer that exists on Linux and Unix-like operating system used to empower verification between a variety of services. PAM (Pluggable confirmation modules) permits you to characterize adaptable flexible for verifying users. However, in the event that you need to block or deny a large number from securing users, use PAM configuration.
See Also:
The thought is extremely straightforward you need to limit who can use sshd based on a list of users. The text file contains a list of users that may not sign in (or allow to sign in) using the SSH server. This is used for enhancing security.
This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.
Allow Specific Users
Follow below steps to allow any specific user:
Step #1 Add User Name in File
If you want to allow any specific users who can access via ssh then create a file and add the name of the user in that file.
# vim /etc/ssh/ssh.allow
Add user name:
technical
Step #2 Add Rule in PAM
Now open PAM authencation file and append following line:
# vi /etc/pam.d/ssh
Append following line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail
Step #3 Restart Service
Now restart ssh service using following command:
For CentOS/RHEL 7
# systemctl restart sshd
For CentOS/RHEL 6 & 5
# /etc/init.d/sshd restart
Step #4 Check Log File
Now check log file:
Feb 17 20:13:42 techoism sshd[1637]: Accepted password for technical from 192.168.0.104 port 58124 ssh2 Feb 17 20:13:42 techoism sshd[1637]: pam_unix(sshd:session): session opened for user technical by (uid=0) Feb 17 20:07:54 techoism sshd[1532]: pam_listfile(sshd:auth): Refused user support for service sshd Feb 17 20:07:55 techoism sshd[1532]: Failed password for support from 192.168.0.104 port 58111 ssh2
Understanding the config parameters:
auth required pam_listfile.so: Name of module required while authenticating users.
item=user: Check or specify the username
sense=allow: Allow user if existing in specified file
file=/etc/sshd/sshd.allow: Name of file which contains the list of user (one user per line)
onerr=fail: If filename does not exists or username formatting is not coreect it will not allow to login.
Deny Specific Users
Follow below steps to deny any specific user:
Step #1 Add User Name in File
If you want to allow any specific users who can access via ssh then create a file and add the name of the user in that file.
# vim /etc/ssh/ssh.deny
Add user name:
technical
Step #2 Add Rule in PAM
Now open PAM authencation file and append following line:
# vi /etc/pam.d/ssh
Append following line:
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh.deny onerr=succeed
Step #3 Restart Service
Now restart ssh service using following command:
For CentOS/RHEL 7
# systemctl restart sshd
For CentOS/RHEL 6 & 5
# /etc/init.d/sshd restart
Step #4 Check Log File
Now check log file:
Feb 17 20:36:04 techoism sshd[1690]: pam_listfile(sshd:auth): Refused user technical for service sshd Feb 17 20:36:06 techoism sshd[1690]: Failed password for technical from 192.168.0.104 port 58226 ssh2 Feb 17 20:36:15 techoism sshd[1692]: Accepted password for support from 192.168.0.104 port 58227 ssh2 Feb 17 20:36:15 techoism sshd[1692]: pam_unix(sshd:session): session opened for user support by (uid=0)
Understanding the config parameters:
auth required pam_listfile.so: Name of module required while authenticating users.
item=user: Check the username
sense=deny: Deny user if existing in specified file
file=/etc/sshd/sshd.deny: Name of file which contains the list of user
onerr=succeed: If an error is encountered PAM will return status PAM_SUCCESS.
Enjoy it!
