How to restrict access to SSH with pam_group.so

[malexe]

My goal is to restrict access to who can ssh into a server using the pam_group.so

I tried these settings into /etc/pam.d/sshd

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
[B]auth            required        pam_group.so            group=wheel[/B]
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

But it does not work, I only have a generic failure message in auth.log

error: PAM: authentication error for [I]user[/I] from [I]hostname[/I]

 

[gilinko]

pam_group.so is not as fully configurable and my suggestion would be to use the line from /etc/pam.d/su which says:

auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe

Note that it uses requisite and not required

 

[Time2IPL]

I'm not sure what you mean by "it doesn't work"; it does block the ssh connection attempt and it does log the failure...

What else are you trying to get it to do?