PAM (Pluggable Authentication Module) can be used to limit users who have access to a certain service based on a list. For example, you can limit SSH connections via PAM.
In "/etc/pam.d/sshd", add the following line:
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist
This will allow a user to login via sshd if they are listed in the "/etc/ssh_allow.pamlist" file. The options specified have the following meanings:
-
onerr=fail -- If an error occurs (file specified is not found or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for onerr is "succeed".
item=user -- Testing or verifythe user's login name.
sense=allow -- If the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for sense is "deny".
file=/etc/ssh_allow.pamlist -- This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.
With that, the "/etc/pam.d/sshd" will look like:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth required pam_listfile.so onerr=fail item=user \
sense=allow file=/etc/ssh_allow.pamlist
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
Put the valid SSH users in the "/etc/ssh_allow.pamlist" file. Each username should be on a new line.
Related Reading:
Bookmark/Search this post with
you just add the following
you just add the following statements at the first line
auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed
The pam excute sequence is line from top to button