cancel
Showing results for 
Search instead for 
Did you mean: 
Maximus_el
Flight Engineer
Flight Engineer
  • 5,651 Views

PAM pam_access.so Rules Not Denying SSH Access for Users in wheel Group

Jump to solution
 

I am trying to restrict SSH access for users in the wheel group using PAM and pam_access.so on Red Hat9. Despite following all necessary steps, users in the wheel group are still able to log in via SSH from remote hosts, which should be denied according to my configuration.

Here’s what I have done so far:

  1. Added the following line to /etc/pam.d/sshd, /etc/pam.d/password-auth, and /etc/pam.d/system-auth:

    account required pam_access.so
  2. Configured PAM for SSH in /etc/ssh/sshd_config:

    UsePAM yes
  3. Configured the rule in /etc/security/access.conf:

    -:wheel:ALL EXCEPT LOCAL
  4. Notes:

    • I tried setting SELinux in permissive mode.
    • SSH service was restarted after each configuration change.

Despite all these configurations, users in the wheel group can still log in via SSH from any remote host, which contradicts the intended restriction.

Any insights or guidance would be greatly appreciated.

________________________________________________________
Keep fighting, peacefully!
Labels (2)
13 Replies
TM
Starfighter Starfighter
Starfighter
  • 1,042 Views

I got your point and I encourage you with your family project.
It is often a good way of learning while trying to achieve something useful.

Besides PAM is well beyond the objectives for RHCSA.

But as it said in French: Qui peut le plus peut le moins.
Translation (maybe a better one exists): The one that can do more can do less.

Trevor
Commander Commander
Commander
  • 1,022 Views

Maximus, your words are very kind, and most appreciated!!!

This may sound a little crazy, but your questions serve to 
motivate me!!!   Keep them coming!!!

I love your current focus - to deepen your understanding, and
to gain practical experience.  You'll serve yourself very well 
with this approach.  

Study as if you're preparing to go perform on a consulting
assignment, and not to take an exam.  If you learn on that
level, passing the exams will be a fun experience!!!

Make that learning journey a marathon - not a sprint!!!

Trevor "Red Hat Evangelist" Chandler
Maximus_el
Flight Engineer
Flight Engineer
  • 1,051 Views

Actually, what often happens with me is that I can't stop myself from testing and exploring as many directives as possible in a configuration file until I reach my limit. Only then do I move on to the next 'fun'.

________________________________________________________
Keep fighting, peacefully!
Trevor
Commander Commander
Commander
  • 1,031 Views

Maximus, that's a GREAT problem to have!!!   I have that
same addiction - and I'm not trying to find a cure

The more you test and explore, the more you'll learn beyond 
what's covered in the textbook!!  The more you learn, the more
value you'll bring to the table!!  The more value you bring to 
the table, the more employment opportunities you'll have!!!

Keep your foot on the accelerator of learning!!!

Trevor "Red Hat Evangelist" Chandler
Join the discussion
You must log in to join this conversation.