-----Original Message-----
From: Darren Tucker [mailto:dtucker@zip.com.au]
Sent: March 18, 2006 7:15 PM
To: Ron Wheeler
Cc: secureshell@securityfocus.com; rwheeler@artifact-software.com
Subject: Re: PAM and SSH


On Sat, Mar 18, 2006 at 01:17:19PM -0500, Ron Wheeler wrote:
> It does not seem to work.
> It appears that for sshd, sshusers would have to be their primary =

group
> and it is not.


sshd checks the supplemental group ids by using getgrouplist. Is it
possible that your system doesn't return those (eg if the data source
isn't listed in nsswitch.conf?)

The nsswitch.conf list files and winbind for groups but the ssh =
documentation said that only primary groups were used.

> It also appears that the Allow* directives act like seives. You have =

to
> pass all of the specified criteria to get in.
> This means they would have be in the right group AND local rather than
> OR which is what I need.


Not exactly. Once you have either of AllowUsers or AllowGroups then
the entire list of that type of directive will be checked before any
login not matching at least one rule of that type is denied.

So it's a logical OR within types and a logical AND across types. =
That's
why I suggested using two AllowGroups directives in my follow-up post.

Could test this again.

You appear to be correct about the wildcarding in pam_listfile.
I hate to list all of the hosts but it will not be too hard - just =
another PITA for ongoing support. We do not change the host names very =
often.
Perhaps a simple PAM module that takes a network description and =
succeeds if the user's IP is on that network would not be a huge task.
A good project for a student taking C. Now I just have to find one:-)

Ron