Using pam_access for some services only

When using pam_access to manage access to machines, I recently ran into the problem of not being able to run cronjobs any more.

pam kept saying things like

pam_access(su:account): access denied for user `nobody’ from `???’

When I looked for solutions to this problem, I quickly found that people would put entries into their access.conf in order to allow local access on the machines. I didn’t like that approach too much since that would imply changing and rolling the configuration on a couple hundred servers. Instead, I found this neat way to just use pam_access for sshd and login, which are the only services I actually need pam_access for and still use the distribution (debian) way of managing the pam configuration (pam_auth_update). This file, installed to /usr/share/pam-configs, will then allow pam-auth-update to build this configuration into the pam common-* files but let cronjobs run without entries in access.conf.

Name: activate access.conf
Default: yes
Priority: 900
Account-Type: Primary
Account:
[default=1 success=ignore] pam_succeed_if.so service in sshd:login quiet
required pam_access.so

The way it works is that pam will only include pam_access if the service is either sshd or login. Otherwise, it will just skip the next line (default=1).

As you can see in the screenshot below, the string in “Name” shows up on the pam-auth-update dialog:

Advertisements

One response to “Using pam_access for some services only

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s