cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Maximus_el
Flight Engineer
Flight Engineer
Sunday
  • 232 Views

PAM pam_access.so Rules Not Denying SSH Access for Users in wheel Group

Jump to solution
 

I am trying to restrict SSH access for users in the wheel group using PAM and pam_access.so on Red Hat9. Despite following all necessary steps, users in the wheel group are still able to log in via SSH from remote hosts, which should be denied according to my configuration.

Here’s what I have done so far:

  1. Added the following line to /etc/pam.d/sshd, /etc/pam.d/password-auth, and /etc/pam.d/system-auth:

    account required pam_access.so

  2. Configured PAM for SSH in /etc/ssh/sshd_config:

    UsePAM yes

  3. Configured the rule in /etc/security/access.conf:

    -:wheel:ALL EXCEPT LOCAL

  4. Notes:

    • I tried setting SELinux in permissive mode.
    • SSH service was restarted after each configuration change.

Despite all these configurations, users in the wheel group can still log in via SSH from any remote host, which contradicts the intended restriction.

Any insights or guidance would be greatly appreciated.

________________________________________________________
Keep fighting, peacefully!
Labels (2)
Labels
Join the discussion
2 Solutions

Accepted Solutions
TM
Flight Engineer Flight Engineer
Flight Engineer
Monday
  • 164 Views

Jump to solution

Hello @Maximus_el ,

The following 2 commands should do the job.

echo 'DenyGroups wheel' > /etc/ssh/sshd_config.d/73-deny_wheel_group.conf
systemctl reload sshd

Regards,

Tshimanga

View solution in original post

Trevor
Starfighter Starfighter
Starfighter
Monday
  • 155 Views

Jump to solution

Hello Maximus,

I don't see that you included a very essential piece
in your /etc/ssh/sshd_config file.  Add the following
line to that file:

                DenyGroups  wheel


After adding that line, restart your ssh daemon.

Standing by for your report.

 

Trevor "Red Hat Evangelist" Chandler

View solution in original post

13 Replies
TM
Flight Engineer Flight Engineer
Flight Engineer
Monday
  • 165 Views

Jump to solution

Hello @Maximus_el ,

The following 2 commands should do the job.

echo 'DenyGroups wheel' > /etc/ssh/sshd_config.d/73-deny_wheel_group.conf
systemctl reload sshd

Regards,

Tshimanga

Maximus_el
Flight Engineer
Flight Engineer
Monday
  • 129 Views

Jump to solution

Beautiful! since the directive 'Include /etc/ssh/ssh_config.d/*.conf' is there

thank you for your help!

________________________________________________________
Keep fighting, peacefully!
Trevor
Starfighter Starfighter
Starfighter
Monday
  • 156 Views

Jump to solution

Hello Maximus,

I don't see that you included a very essential piece
in your /etc/ssh/sshd_config file.  Add the following
line to that file:

                DenyGroups  wheel


After adding that line, restart your ssh daemon.

Standing by for your report.

 

Trevor "Red Hat Evangelist" Chandler
Maximus_el
Flight Engineer
Flight Engineer
Monday
  • 135 Views

Jump to solution

Thank you for your help, it worked, oh and yes i really forgot about sshd_config.

Thank you again !

________________________________________________________
Keep fighting, peacefully!
Trevor
Starfighter Starfighter
Starfighter
Monday
  • 132 Views

Jump to solution

Hello Maximus,

Would you be okay with providing the complete content
of your /etc/ssh/sshd_config file?

 

Trevor "Red Hat Evangelist" Chandler
Maximus_el
Flight Engineer
Flight Engineer
Monday
  • 130 Views

Jump to solution

it worked and i have no ide how i typed || who wrote "didnt"

thank you for your help

________________________________________________________
Keep fighting, peacefully!
Trevor
Starfighter Starfighter
Starfighter
Monday
  • 114 Views

Jump to solution

Alrighty then!!!  That's a big relief for both of us!  
I thought I might have to spend an all-nighter
trying to uncover the issue

Please disregard that last request for the complete
/etc/ssh/sshd_config file!!!!

I'm celebrating with you that you've gotten what you
needed!!!  Thanks for reaching out to the community!!!

 

Trevor "Red Hat Evangelist" Chandler
TM
Flight Engineer Flight Engineer
Flight Engineer
yesterday
  • 60 Views

Jump to solution

Hi @Maximus_el,

As you might have realize @Trevor and I used the simple sshd config of DenyGroups, even if we did it in two different locations, and it works.

I just hope that the requirement of the question is not to explicitly use PAM.
If it is the case, let us know. Because you might fail to that question if you do it our ways.

Regards,

Tshimanga

 

Maximus_el
Flight Engineer
Flight Engineer
yesterday
  • 57 Views

Jump to solution

"First off, I’d like to extend my gratitude to you, @TM , and @Trevor  for your invaluable insights and support. It’s incredible how much your assistance motivates and propels everyone forward.

Secondly, I fully grasp your point. Although I’m nearing the end of my RHCSA studies, I’m not rushing into the exam just yet. My current focus is to deepen my understanding and gain practical experience with RHEL beside technologies like Nginx, DevOps tools including Ansible and Docker, and AWS. I’m working on setting up a server for a family project before I schedule any exams. For now, my journey is all about learning and practicing.

Thank you again for being such a pillar of support in this community.

Regards,

________________________________________________________
Keep fighting, peacefully!
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use