problem with login.access

[Nokobon]

Hello,
in addition to the real console, I'd like to access my server via ssh but restrict this access to one computer of the local network.
So I tried to use these lines in /etc/login.access:

+:ALL:ttyv0
+:ALL:192.168.1.102
-:ALL:ALL

Now when I connect to the server from 192.168.2.102 or login directly at the console(ttyv0) as an user that is member of wheel and try to use su to become root I get this:

pam_login_access: pam_sm_acct_mgmt: root is not allowed to log in on /dev/tty..)

Why that? How do these lines in login.access disable the abillity to become root via su-command?
Whithout any restrictions in login.access the users in wheel-group are able to become root...

Thanks,
Nokobon

 

[DutchDaemon]

Why not use hosts.allow for this (hosts_access(5))? Sshd is tcpwrapper-aware.

 

[Nokobon]

Why not use hosts.allow for this (hosts_access(5))? Sshd is tcpwrapper-aware.

You are right in this situation I'd just need tcp-wrappers.
But I forgot to mention that I will have for example one user that is allowed to login over ssh from everywhere.
Sorry for that!
So I have to distinguish between the different users that use ssh which is not possible with tcp wrappers.
In fact my login.acces will look like this:

+:ALL:ttyv0
+:ALL:192.168.1.102
+:user1:ALL
-:ALL:ALL

Every ssh-login is restricted to the local network and ttyv0 except for user1.
So why doesn't su work now?

 

[anomie]

Why that? How do these lines in login.access disable the abillity to become root via su-command?
Whithout any restrictions in login.access the users in wheel-group are able to become root...

Because if you look at rule stack in [font="Fixedsys"]/etc/pam.d/su[/font] you'll see that it requires "system"]/etc/pam.d/system[/font] contains the rule:

account         required        pam_login_access.so

So login.access changes affect more than one PAM-enabled program -- good thing to keep in mind when you're formulating your ruleset.

As for the original problem, you're probably trying to su from a tty that isn't being explicitly allowed. You may need something more like:

+:ALL:LOCAL

Or... you may need to explicitly list all possible ttys.

 

[Nokobon]

Thanks for your answer!

Because if you look at rule stack in [font="Fixedsys"]/etc/pam.d/su[/font] you'll see that it requires "system"; [font="Fixedsys"]/etc/pam.d/system[/font] contains the rule:

account         required        pam_login_access.so

So login.access changes affect more than one PAM-enabled program -- good thing to keep in mind when you're formulating your ruleset.

Well sorry. I have to say, I don't really get what you want to tell me...I've read the man page for pam, but it didn't help to understand that.

As for the original problem, you're probably trying to su from a tty that isn't being explicitly allowed. You may need something more like:

+:ALL:LOCAL

I added this line to login.access and know I can use su via ssh.
But what is the difference between using "LOCAL" and using the ip "192.168.1."? I thought they both represent the local network.
But in fact I need both rules to be able to use su...

Or... you may need to explicitly list all possible ttys.

I explicitly allowed ttyv0 before and it didn't work anyhow...

 

[anomie]

But what is the difference between using "LOCAL" and using the ip "192.168.1."? I thought they both represent the local network.

No. Read the manpages for login.access(5):

LOCAL
matches a string not containing a period.

So I believe that could replace your list of ttys.

 

[Nokobon]

No. Read the manpages for login.access(5)

Well, I've read the man page on my server(FreeBSD7.1), but it's different to the one you reffered to.
It says:

LOCAL (matches any string that does not contain a "." character)

And "Absolute FreeBSD" says, LOCAL matches any host without a dot in it (generally only hosts in the local domain).

Any host in my local domain has got an ip beginning with 192.168.1., so I still wonder whats the difference...

I don't think it is concerned with ttys because the man page says, login.access looks for matching user-host combination (network logins) or user-tty combination (non-network logins).
And we are talking about network logins now.

Anyhow...now it works, so thanks for your help.

 

[ironmikie]

Why not using sshd's built-in functionality?

Add this to your sshd configuration file

AllowUsers username@ip

 

[anomie]

There are lots of ways to skin this potato; I don't see a reason to not use pam_login_access(8) to solve this problem (assuming OP is familiar with the others).

@Nokobon: All those manpage versions are saying essentially the same thing!! And ttys do not have a dot in them, so of course they match LOCAL. Glad it's working now.

 

[Nokobon]

Yes, I'm glad it's working now.
Thanks!

@ironmikie:
Goot idea, I use the AllowUsers-Option of ssh, but I didn't know (or forget) that the users can even be restricted to a specific IP.
I may try that.

The advantage of login.access is that these rules apply for all login-ways(FTP,Telnet,..), not just for ssh...