Title: Limiting user access to network services with PAM

KBTAG: kben10000015
URL: http://www.securityportal.com/lskb/10000000/kben10000015.html
Date created: 13/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: How to use PAM to limit users access to various network services
Keywords: Network/Servers, PAM/Servers

Implementation information:
Difficulty: mild
Requirements: PAM, PAM enabled network services
Time (approx.): several minutes

Summary:

PAM enabled network services can easily grant/deny access to services on a per user basis, this is extremely useful if you have an IMAP and a POP server on your mail server and only want to give certain users access to IMAP.

More information:

PAM has an authentication module called "pam_listfile.so", which checks a file for a list of user names, and on finding the specified username can either deny or grant access to the service. You need to put an entry in the programs pam configuration file, usually in /etc/pam.d/servicename, for example with IMAP if you wanted to only allow certain users access:

auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/imapusers-allow onerr=fail

Which means use the auth module "pam_listfile.so", the item is user (or you could use group), if the check succeeds (i.e. the user is listed in the file) then grant access, use the file "/etc/imapusers-allow" and if the name is not found generate an error (and access would be denied).

If on the other hand you want to deny access to certain users you would use:

auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/imapusers-deny onerr=fail

Same as above except the default is to allow (onerr=succeed), and it will only deny a user if they are listed in "/etc/imapusers-deny". As always a policy of default deny is safer then one that defaults to allowing access. Also test your configuration, sometimes daemons don't behave, or may not have compiled in PAM support, so make sure it blocks/grants access as expected.

Recognized arguments for the module are:

onerr=succeed|fail
sense=allow|deny
file=filename
item=user|tty|rhost|ruser|group|shell apply=user|@group

References:

PAM documentation is typically in /usr/share/doc/libpam-version/,

Notes:

You can also block access to services based on time.