HELP Using PAM to limit users from logging in remotely

Okay, I've been using linux for a few years but never really got into the
security portion of it so please excuse my ignorance.

I've been trying to set up pam so that I can prevent some users from logging
in remotely
I have a webserver setup and a group called webhost that all the clients are
a part of.
However, there are other users and groups that are for other reasons but
have no buisness logging in remotely to the system
So What i'm trying to accomplish is setting up Pam so that only root users
(or wheel) and users of the webhost group can login remotely, all others
should be locked out

I've tried to do it with the /etc/security/time.conf and it seems to lock
everyone out
so far i've tried these combos:
sshd;ttyp*&tty*;*!webhost!wheel!root;!Al0000-2400
sshd;ttyp*&tty*;*&!webhost&!wheel&!root;!Al0000-2400
sshd;ttyp*&tty*;*|!webhost|!wheel|!root;!Al0000-2400

and have added into /etc/pam.d/sshd:
auth required /lib/security/pam_time.so

I found the documentation on pam a bit confusing when it comes to the
group.conf since time.conf says when some CANNOT do something and group.conf
says When the CAN. Which file has priority?

my group.conf has only this line uncommented:
sshd; tty*;*;Al0000-2400;webhost

in /etc/pam.d/sshd:

auth required pam_group.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so

have also changed pam_group.so to pam_time.so and it locks out Everyone!
Also I am running Fedora Core 2

Any help would be greatly appreciated
Thanks in advance!

>.< NeoPhreak

NeoPhreak wrote:
> Okay, I've been using linux for a few years but never really got into the
> security portion of it so please excuse my ignorance.
>
<SNIP>
> in /etc/pam.d/sshd:
>
> auth required pam_group.so
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_selinux.so
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
> have also changed pam_group.so to pam_time.so and it locks out Everyone!
> Also I am running Fedora Core 2
>
> Any help would be greatly appreciated
> Thanks in advance!
>
>
>>.< NeoPhreak
>


Hi NeoPhreak,

I assume you're concerned about SSH logins? Simply create group
'ssh_users' and add the following line to your sshd_config file :

AllowGroups ssh_users

Oh, and don't forget to restart sshd to activate the changes.

With this, only people who are members of the ssh_users group will be
able to log in via ssh.

Enjoy!

Me.

Works Great! Thanks!

"me" <me@here.com> wrote in message
news:9ZGUd.9463$Vf6.383325@news20.bellglobal.com.. .
> NeoPhreak wrote:
>> Okay, I've been using linux for a few years but never really got into the
>> security portion of it so please excuse my ignorance.
>>
> <SNIP>
>> in /etc/pam.d/sshd:
>>
>> auth required pam_group.so
>> auth required pam_stack.so service=system-auth
>> auth required pam_nologin.so
>> account required pam_stack.so service=system-auth
>> password required pam_stack.so service=system-auth
>> session required pam_selinux.so
>> session required pam_stack.so service=system-auth
>> session required pam_limits.so
>> session optional pam_console.so
>>
>> have also changed pam_group.so to pam_time.so and it locks out Everyone!
>> Also I am running Fedora Core 2
>>
>> Any help would be greatly appreciated
>> Thanks in advance!
>>
>>
>>>.< NeoPhreak
>>
>
>
> Hi NeoPhreak,
>
> I assume you're concerned about SSH logins? Simply create group
> 'ssh_users' and add the following line to your sshd_config file :
>
> AllowGroups ssh_users
>
> Oh, and don't forget to restart sshd to activate the changes.
>
> With this, only people who are members of the ssh_users group will be able
> to log in via ssh.
>
> Enjoy!
>
> Me.