Dirk H. Schulz
2009-Mar-20 13:49 UTC
[CentOS] pam_access.so restrictions not working - syntax errors?
Hi folks, I want to restrict root access via ssh to certain (internal) hosts. That is what pam_access.so is for, I thought, so I configured: in /etc/security/access.conf I added (nothing in there before): + : root : 192.168.123.0/24 10.72.0.0/16 - : root : ALL in /etc/pam.d/ssh I added at the end: account required pam_access.so Then I restarted the ssh server. Basically, this kinda works. Cron suddenly had no right to do it's job, so I had to add + : root : LOCAL to /etc/security/access.conf But there still is no restriction on ssh logins by root - I can still login from anywhere. Next I tried putting it in one line in /etc/security/access.conf: - : root : ALL EXCEPT LOCAL 192.168.123.0/24 10.72.0.0/16 That did not change anything, still I can log in via ssh. I am stuck. According to documentation and the examples on the net this should be the right syntax. And, by the way, in my /etc/ssh/ sshd_config I have "UsePAM yes". Any help or hint is appreciated. Dirk
Filipe Brandenburger
2009-Mar-20 17:47 UTC
[CentOS] pam_access.so restrictions not working - syntax errors?
Hi, I have it working with SSH here for a similar setup. On Fri, Mar 20, 2009 at 09:49, Dirk H. Schulz <dirk.schulz at kinzesberg.de> wrote:> in /etc/pam.d/ssh I added at the end: > account required pam_access.soI believe you have to add this line *before* the "account include system-auth" line. Other than that it seems right. HTH, Filipe