# How to restrict access to SSH with pam_group.so



## malexe (Mar 5, 2010)

My goal is to restrict access to who can ssh into a server using the pam_group.so

I tried these settings into /etc/pam.d/sshd


```
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
[B]auth            required        pam_group.so            group=wheel[/B]
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```

But it does not work, I only have a generic failure message in auth.log

```
error: PAM: authentication error for [I]user[/I] from [I]hostname[/I]
```


----------



## gilinko (Mar 5, 2010)

pam_group.so is not as fully configurable and my suggestion would be to use the line from /etc/pam.d/su which says:

```
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
```
Note that it uses _requisite_ and not _required_


----------



## Time2IPL (Mar 6, 2010)

I'm not sure what you mean by "it doesn't work"; it does block the ssh connection attempt and it does log the failure...

What else are you trying to get it to do?


----------

