Solved: PAM pam_access.so Rules Not Denying SSH Access for...

Maximus_el

I am trying to restrict SSH access for users in the wheel group using PAM and pam_access.so on Red Hat9. Despite following all necessary steps, users in the wheel group are still able to log in via SSH from remote hosts, which should be denied according to my configuration.

Here’s what I have done so far:

Added the following line to /etc/pam.d/sshd, /etc/pam.d/password-auth, and /etc/pam.d/system-auth:
```
account required pam_access.so
```
Configured PAM for SSH in /etc/ssh/sshd_config:
```
UsePAM yes
```
Configured the rule in /etc/security/access.conf:
```
-:wheel:ALL EXCEPT LOCAL
```
Notes:
- I tried setting SELinux in permissive mode.
- SSH service was restarted after each configuration change.

Despite all these configurations, users in the wheel group can still log in via SSH from any remote host, which contradicts the intended restriction.

Any insights or guidance would be greatly appreciated.

________________________________________________________
Keep fighting, peacefully!

TM

Hello @Maximus_el ,

The following 2 commands should do the job.

echo 'DenyGroups wheel' > /etc/ssh/sshd_config.d/73-deny_wheel_group.conf
systemctl reload sshd

Regards,

Tshimanga

View solution in original post

Trevor

Hello Maximus,

I don't see that you included a very essential piece
in your /etc/ssh/sshd_config file. Add the following
line to that file:

DenyGroups wheel

After adding that line, restart your ssh daemon.

Standing by for your report.

Trevor "Red Hat Evangelist" Chandler

View solution in original post

Trevor

Hello Maximus,

Would you be okay with providing the complete content
of your /etc/ssh/sshd_config file?

Trevor "Red Hat Evangelist" Chandler

View solution in original post

TM

Hello @Maximus_el ,

The following 2 commands should do the job.

echo 'DenyGroups wheel' > /etc/ssh/sshd_config.d/73-deny_wheel_group.conf
systemctl reload sshd

Regards,

Tshimanga

Maximus_el

Beautiful! since the directive 'Include /etc/ssh/ssh_config.d/*.conf' is there

thank you for your help!

________________________________________________________
Keep fighting, peacefully!

Trevor

Hello Maximus,

I don't see that you included a very essential piece
in your /etc/ssh/sshd_config file. Add the following
line to that file:

DenyGroups wheel

After adding that line, restart your ssh daemon.

Standing by for your report.

Trevor "Red Hat Evangelist" Chandler

Maximus_el

Thank you for your help, it worked, oh and yes i really forgot about sshd_config.

Thank you again !

________________________________________________________
Keep fighting, peacefully!

Trevor

Hello Maximus,

Would you be okay with providing the complete content
of your /etc/ssh/sshd_config file?

Trevor "Red Hat Evangelist" Chandler

Maximus_el

it worked and i have no ide how i typed || who wrote "didnt"

thank you for your help

________________________________________________________
Keep fighting, peacefully!

Trevor

Alrighty then!!! That's a big relief for both of us!
I thought I might have to spend an all-nighter
trying to uncover the issue

Please disregard that last request for the complete
/etc/ssh/sshd_config file!!!!

I'm celebrating with you that you've gotten what you
needed!!! Thanks for reaching out to the community!!!

Trevor "Red Hat Evangelist" Chandler

PAM pam_access.so Rules Not Denying SSH Access for Users in wheel Group

pam

SSH