pam_access

pam_access.so [conf=/path/to/file] [debug] [fieldsep=char] [no_warn]

conf=/path/to/file
    Specifies an alternative access control file instead of the default /etc/security/access.conf.

debug
    Enables verbose logging of debug information to syslog.

fieldsep=char
    Defines the character used to separate fields (access, users, origins) in the configuration file. Default is a colon (:).

no_warn
    Disables logging of warnings generated by the module to syslog.

The pam_access module provides a flexible mechanism for system access control within the Pluggable Authentication Modules (PAM) framework. It evaluates predefined rules to grant or deny login access based on the user's identity, group membership, and the origin of the login attempt (e.g., specific TTY, hostname, IP address, or time of day).

Access rules are typically defined in the /etc/security/access.conf file. Each rule specifies whether access is granted (+) or denied (-) for a given user or group, originating from a particular source. The module is usually invoked as part of the auth or account stack in PAM configuration files (e.g., /etc/pam.d/sshd). Its primary function is to enforce system-wide access policies, complementing other authentication and authorization mechanisms.

The effectiveness of pam_access heavily depends on its placement within the PAM configuration stack; it should typically be configured as an account or auth module and invoked before any modules that unconditionally grant access. Misconfigurations in /etc/security/access.conf can lead to unexpected access denials or, conversely, unauthorized access. Be cautious with hostnames as origin rules, as DNS resolution issues can impact login performance. Remember that rules are processed sequentially, and the first matching rule applies.

The primary configuration for pam_access resides in /etc/security/access.conf. Each rule in this file is structured as:

<permission> : <users> : <origins>

• <permission>: Must be either + (grant access) or - (deny access).
• <users>: A comma-separated list of usernames, group names (prefixed with @), or the special keyword ALL.
• <origins>: A comma-separated list of tty names, hostnames, IP addresses (with optional netmask), network group names (prefixed with @), or time intervals (e.g., MoTuTh1000-1500). The special keywords ALL and LOCAL are also available.

Rules are processed sequentially from top to bottom, and the first matching rule determines the outcome. The EXCEPT operator can be used within the users or origins fields to specify exceptions.

pam_access is part of the Linux-PAM (Pluggable Authentication Modules) project, which was developed to provide a standardized, modular framework for authentication services in Linux. PAM itself originated in SunSoft and was later adopted by various Unix-like systems. pam_access provides a standard way to implement host and user-based access control rules, offering a more granular control than simple /etc/hosts.allow and /etc/hosts.deny for login services.

pam(8), access.conf(5), pam_unix(8)