Red Hat Bugzilla – Bug 732081
PAM does not correctly parse @users@@hosts netgroup syntax in /etc/security/access.conf
Last modified: 2011-09-13 17:32:13 EDT
Description of problem:
I use /etc/security/access.conf to restrict what hosts users can log into and from where via SSH. This is controlled via netgroups. In access.conf, I have
rules such as:
+ : @staff@@private-hosts : 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
+ : @staff@@bastion-hosts : ALL
- : ALL : ALL
The above should allow users in the netgroup staff to connect to hosts in the netgroup private-hosts from the above networks. The same users
are allowed to connect to the bastion hosts from anywhere. All other connections are denied. This works in F13, F14, RHEL5, and RHEL6.
On Fedora 15 and pam-1.1.3-8, PAM does not correctly parse the @users@@hosts syntax and authorizes any authenticated user to connect to private-hosts from any location.
If I drop the @@netgroup suffix, PAM will correctly limit connections to users in the netgroup staff.
+ : @staff : 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24
+ : @staff : ALL
The manpage access.conf(5) says the @@netgroupname syntax should work:
The @@netgroupname syntax is supported in the user pattern
only and it makes the local system hostname to be passed to the
netgroup match call in addition to the user name.
I can look up all of the above netgroups via 'getent netgroup <name>'.
Version-Release number of selected component (if applicable):
Fedora 15 and pam-1.1.3-8.
Steps to Reproduce:
1. Create netgroups similar to:
2. Update access.conf with rules similar to above.
3. Update /etc/pam.d/sshd to refer to access.conf
account required pam_access.so accessfile=/etc/security/access.conf
4. Update /etc/ssh/sshd_config and set 'UsePAM yes'.
Authenticated users (not just those in the staff netgroup) are authorized to connect to any host from any location.
Authenticated user in netgroup staff is authorized to connect to private-hosts from designated networks. SSH connections from other locations are only allowed to hosts in bastion-hosts.
As stated above, this same configuration works on F13, F14, RHEL5, and RHEL6.
pam-1.1.4-4.fc15 has been submitted as an update for Fedora 15.
pam-1.1.4-4.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam-1.1.4-4.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
pam-1.1.4-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
pam-1.1.4-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Verified that this now works as intended. Thank you!