Description of problem: I use /etc/security/access.conf to restrict what hosts users can log into and from where via SSH. This is controlled via netgroups. In access.conf, I have rules such as: + : @staff@@private-hosts : 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 + : @staff@@bastion-hosts : ALL - : ALL : ALL The above should allow users in the netgroup staff to connect to hosts in the netgroup private-hosts from the above networks. The same users are allowed to connect to the bastion hosts from anywhere. All other connections are denied. This works in F13, F14, RHEL5, and RHEL6. On Fedora 15 and pam-1.1.3-8, PAM does not correctly parse the @users@@hosts syntax and authorizes any authenticated user to connect to private-hosts from any location. If I drop the @@netgroup suffix, PAM will correctly limit connections to users in the netgroup staff. + : @staff : 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 + : @staff : ALL The manpage access.conf(5) says the @@netgroupname syntax should work: The @@netgroupname syntax is supported in the user pattern only and it makes the local system hostname to be passed to the netgroup match call in addition to the user name. I can look up all of the above netgroups via 'getent netgroup <name>'. Version-Release number of selected component (if applicable): Fedora 15 and pam-1.1.3-8. How reproducible: Always. Steps to Reproduce: 1. Create netgroups similar to: staff: (,bob,) (,jsmith,) (,ned,) private-hosts: (host1.example.net,,) (host2.example.net,,) (host3.example.net,,) bastion-hosts: (bastion.example.net,,) 2. Update access.conf with rules similar to above. 3. Update /etc/pam.d/sshd to refer to access.conf account required pam_access.so accessfile=/etc/security/access.conf 4. Update /etc/ssh/sshd_config and set 'UsePAM yes'. Actual results: Authenticated users (not just those in the staff netgroup) are authorized to connect to any host from any location. Expected results: Authenticated user in netgroup staff is authorized to connect to private-hosts from designated networks. SSH connections from other locations are only allowed to hosts in bastion-hosts. Additional info: As stated above, this same configuration works on F13, F14, RHEL5, and RHEL6.
pam-1.1.4-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/pam-1.1.4-4.fc15
pam-1.1.4-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/pam-1.1.4-4.fc16
Package pam-1.1.4-4.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pam-1.1.4-4.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/pam-1.1.4-4.fc16 then log in and leave karma (feedback).
pam-1.1.4-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
pam-1.1.4-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Verified that this now works as intended. Thank you!