configure a PAM module to be required for all but certain users for which it should be sufficient

Question

I'd like to be able to configure /etc/pam.d/sshd so that:

for all users except those in group "admin", module pam_radius is required.

for those users in group admin, module pam_radius is sufficient.

How to do this?

The linked Q&A should cover it. You'd want to change the check `pam_access` is performing from a host based to group based. — Andrew B, Feb 13 '16 at 02:57

score 0 · Answer 1 · answered Feb 13 '16 at 03:32

Based on the link provided by Andrew B (thanks Andrew), I solved this with the following:

in /etc/pam.d/sshd:

auth    [success=1 default=ignore] pam_access.so accessfile=/etc/security/ssh.conf
auth    required        pam_radius_auth.so
auth    sufficient      pam_radius_auth.so
@include common-auth

I created file /etc/security/ssh.conf:

-:ALL EXCEPT admin:ALL

This file denies access to all except those in the admin group. The reason I didn't put this line in /etc/security/access.conf is because it would have unintended consequences for other modules using pam_access.so. So it gets its own file.

In a nutshell, this allows admins to be able to login via @common-auth mechanisms (unix, ldap) if radius is down.

configure a PAM module to be required for all but certain users for which it should be sufficient

1 Answers1