Hi,
I have a case, allow particular LDAP group user can login host. I get a method from google, which use pam_listfile.so , I tried as description( https://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html), but it failed to restrict particular group. Below is what I did:
1. add pam_listfile.so to system-auth
# grep pam_listfile.so system-auth -A2 auth required pam_listfile.so \ onerr=fail item=group sense=allow file=/etc/login.group.allowed
2. create file login.group.allowed, and add group name in this file # ll /etc/login.group.allowed -rwxr-xr-x. 1 root root 12 Jan 7 19:28 /etc/login.group.allowed # cat /etc/login.group.allowed hogpu-users
3. try to login a user, which is not in group hogpu-users.
$ ssh test.lu@10.10.10.37 luo.lu@101.100.10.37's password: Last login: Sat Jan 7 19:30:04 2017 from 10.31.32.72 id: cannot find name for group ID 501 [luo.lu@xyz-gpu100 ~]$ id test.lu uid=10138(test.lu) gid=501 groups=501,503(hogpu-algorithm-intern)
so user test.lu is not in group hogpu-users, but I still can login the host.
What I missed? any suggestion about this?
Thanks