Security: PAM modules

Limits and boundaries

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. Limit the amount of users
    2. Limit the amount of chances
    3. Limit the user

Limit the amount of users

User and group access can be controlled by PAM using the pam_access module. The control file is available in, as far as I know, every distribution and called /etc/security/access.conf.

You could create a simple file that makes sure that only certain groups have access to your machine:

+ : bofh : ALL
+ : ALL  : LOCAL
+ : ALL  :
- : ALL  : ALL

The last line says: deny everything else. Above that we allow everything that comes from localhost, which seems reasonable, just to make sure that web-servers start etc. The first line however is the key one. This one tells that for this system only the users in the group bofh have access and no-one else.

The structure of the lines is simple. The field separator is the : and the entire line consists of 3 fields:

Field 1
Contains a + or a - sign. The + means allow and the - means deny access.
Field 2
Contains the who. ALL means everybody, and a name means a person or a group name.
Field 3
Contains the from/what part. It can hold an address someone is coming from, or a TTY or service that one is connecting to. The elements are space separated and are based on the PAM_RHOST, PAM_TTY and PAM_SERVICE constants, which are evaluated in this order:
A host name, domain name, host address, internet network address with network mask, ALL, or LOCAL
The TTY someone is coming from. This can be something like ttyS0, but also :0 for X-Windows, or cron for e.g. vixie-cron and cronie
The service that is being accessed. Fron cron that is crond

Limit the amount of chances

Limit the amount of tries a user has on the login prompt usin pam_tally:

auth    required onerr=fail no_magic_root
account required per_user deny=3 no_magic_root reset

Limit the user

pam_limits limits the "room" people have on the system. Through hard and soft limits one can e.g. limit a user in the amount of processes (nproc) that the user can start or the maximum number of logins (maxlogins) and a whole lot more.