pam_scp

Introduction

This module is for administrators who want to switch off Telnet and FTP servers and use SSH instead, permitting both file and shell access to their users.

When enforcing the usage of ssh, admins earlier or later run into the problem that they cannot permit ssh file access via SCP or SFTP but forbid shell access via SSH. In large environments which are heavily scripted, it may even be useful to permit shell-, but no file access for certain users.

Additionally, it is possible to restrict different access permissions per user, depending on the host's reverse DNS lookup name. Thus, a certain user may access a shell on host 'server' via ssh from host 'client_1', but no file transmissions via SCP or SFTP. The same user may access files from host 'client_2', but is not permitted shell access from 'client_2'. On 'client_3', this user may use both shell and file.

Installation

Just unpack the sources (if you want to use this experimental software, you should know how to do this) and run

make

with user- and

make install

with root privileges in the new directory.

The "module pam_scp.so" will be installed as "/lib/security/module pam_scp.so" and copy an example "pam_scp.tab" into the directory "/etc/pam_scp.tab". To activate the module, edit "/etc/pam_scp.tab" NOW! Attention, you may restrict root's privileges to access the host! You better do not knock yourself off the system. To activate the module in PAM's configuration, edit your "/etc/pam.d/sshd" and append the following line:

session  required       pam_scp.so

Be sure to have unrestricted access to root configured before you activate the module in "/etc/pam.d/sshd"; consult the example below to see how to may permit full access for "root" to file and shell.

Configuration

The configuration file is "/etc/pam_scp.tab"; it's format is

<user>:<host|*>:file=<0|1>:shell=<0|1>

Lines starting with a '#' are ignored, as well as empty lines. "user" is the local username, "host" may be a host name (which has to be set to the name your name service returns on a reverse lookup, or a '*', which means all hosts), "file=" and "shell=" are set to 'allow' (1) or 'restrict' (0).

Example configuration file

Having a file like this:

# pam_scp.tab
#
# format is ::file=[0|1]:shell=[0|1]
# '*' may be used as wildcard from every host
#
# EXAMPLE FILE: 
# 
# root + luke both may use SCP and SFTP as well as SSH,
# 
# volker may use a shell from host gw, but not copy files
# from or to there
#
# volker may not access this machine from lukenukem either 
# for shell or file transfer 
#
# volker may transfer files, but not use a shell, from 
# every other host

root:*:file=1:shell=1

luke:*:file=1:shell=1

volker:gw:file=0:shell=1
volker:lukenukem:file=0:shell=0
volker:*:file=1:shell=0

Users "root" and "luke" do both have full access (file=1:shell=1) from any host ('*').

"volker" may access a shell on the server when accessing from host "gw", but when
"volker" tries to access this server from host "lukenukem", he will not get access to any service.
"volker" may, too, copy files to (or from) the server, but he may not access a shell from all other hosts ('*').

Note, again, this name is compared to what the reverse DNS lookup provides. Attention: this may be an IP adress if the host isn't listed in reverse DNS lookups.

Technical background

This module evaluates the PAM item PAM_TTY, which is set to a pty in case of shell, but to "ssh" in case of a file login. I do not know whether this is a valid criteria and didn't get an answer to this question, so please be careful when trying this in a production environment. It works fine for me, your mileage may vary. This module has only been tested with pam-0.75 on a Linux system.

Thank you

Maybe you would like to have a glance at the sources, too. I am not a very experienced nor skilled programmer and massively lack of training in the C language. Since years, I prefer Perl. There will be an apache module which should empower easy administration of this thing.

Please excuse me for my bad english -- this is another problem with lack of training that I experience.

Future

This module may once provide Interfaces to LDAP, NIS and / or other directory services. One day, this module might be extended to support unix group management.

I hope that SSH, especially OpenSSH, and its future releases may once become a more widely used software for shell interaction and file transfer in the internet. This will save the internet community from many security problems that administrators experience every day.

License

This software is freely distributable under the GNU public license, a copy of which you should have received with this software (in a file called COPYING). Otherwise, please refer to the GNU Project website at http://www.gnu.org/copyleft/ and learn about the GPL (GNU Public License).