# problem with login.access



## Nokobon (Aug 18, 2009)

Hello,
in addition to the real console, I'd like to access my server via ssh but restrict this access to one computer of the local network.
So I tried to use these lines in /etc/login.access:

```
+:ALL:ttyv0
+:ALL:192.168.1.102
-:ALL:ALL
```

Now when I connect to the server from 192.168.2.102 or login directly at the console(ttyv0) as an user that is member of wheel and try to use su to become root I get this:

```
pam_login_access: pam_sm_acct_mgmt: root is not allowed to log in on /dev/tty..)
```

Why that? How do these lines in login.access disable the abillity to become root via su-command?
Whithout any restrictions in login.access the users in wheel-group are able to become root...

Thanks,
Nokobon


----------



## DutchDaemon (Aug 18, 2009)

Why not use hosts.allow for this (hosts_access(5))? Sshd is tcpwrapper-aware.


----------



## Nokobon (Aug 18, 2009)

DutchDaemon said:
			
		

> Why not use hosts.allow for this (hosts_access(5))? Sshd is tcpwrapper-aware.


You are right in this situation I'd just need tcp-wrappers.
But I forgot to mention that I will have for example one user that is allowed to login over ssh from everywhere.
Sorry for that!
So I have to distinguish between the different users that use ssh which is not possible with tcp wrappers.
In fact my login.acces will look like this:

```
+:ALL:ttyv0
+:ALL:192.168.1.102
+:user1:ALL
-:ALL:ALL
```

Every ssh-login is restricted to the local network and ttyv0 except for user1.
So why doesn't su work now?


----------



## anomie (Aug 18, 2009)

Nokobon said:
			
		

> Why that? How do these lines in login.access disable the abillity to become root via su-command?
> Whithout any restrictions in login.access the users in wheel-group are able to become root...



Because if you look at rule stack in [font="Fixedsys"]/etc/pam.d/su[/font] you'll see that it requires "system"]/etc/pam.d/system[/font] contains the rule: 

```
account         required        pam_login_access.so
```

So login.access changes affect more than one PAM-enabled program -- good thing to keep in mind when you're formulating your ruleset. 

As for the original problem, you're probably trying to su from a tty that isn't being explicitly allowed. You may need something more like: 

```
+:ALL:LOCAL
```

Or... you may need to explicitly list all possible ttys.


----------



## Nokobon (Aug 18, 2009)

Thanks for your answer!


			
				anomie said:
			
		

> Because if you look at rule stack in [font="Fixedsys"]/etc/pam.d/su[/font] you'll see that it requires "system"; [font="Fixedsys"]/etc/pam.d/system[/font] contains the rule:
> 
> ```
> account         required        pam_login_access.so
> ...


Well sorry. I have to say, I don't really get what you want to tell me...I've read the man page for pam, but it didn't help to understand that.



			
				anomie said:
			
		

> As for the original problem, you're probably trying to su from a tty that isn't being explicitly allowed. You may need something more like:
> 
> ```
> +:ALL:LOCAL
> ```


I added this line to login.access and know I can use su via ssh.
But what is the difference between using "LOCAL" and using the ip "192.168.1."? I thought they both represent the local network.
But in fact I need both rules to be able to use su...



			
				anomie said:
			
		

> Or... you may need to explicitly list all possible ttys.


I explicitly allowed ttyv0 before and it didn't work anyhow...


----------



## anomie (Aug 18, 2009)

Nokobon said:
			
		

> But what is the difference between using "LOCAL" and using the ip "192.168.1."? I thought they both represent the local network.



No. Read the manpages for login.access(5):


> LOCAL
> matches a string not containing a period.



So I believe that could replace your list of ttys.


----------



## Nokobon (Aug 19, 2009)

anomie said:
			
		

> No. Read the manpages for login.access(5)


Well, I've read the man page on my server(FreeBSD7.1), but it's different to the one you reffered to.
It says:

```
LOCAL (matches any string that does not contain a "." character)
```
And "Absolute FreeBSD" says, LOCAL matches any host without a dot in it (generally only hosts in the local domain).

Any host in my local domain has got an ip beginning with 192.168.1., so I still wonder whats the difference...

I don't think it is concerned with ttys because the man page says, login.access looks for matching user-host combination (network logins) or user-tty combination (non-network logins).
And we are talking about network logins now.

Anyhow...now it works, so thanks for your help.


----------



## ironmikie (Aug 19, 2009)

Why not using sshd's built-in functionality?

Add this to your sshd configuration file


```
AllowUsers username@ip
```


----------



## anomie (Aug 19, 2009)

There are lots of ways to skin this potato; I don't see a reason to _not_ use pam_login_access(8) to solve this problem (assuming OP is familiar with the others). 

@Nokobon: All those manpage versions are saying essentially the same thing!!  And ttys do not have a dot in them, so of course they match LOCAL. Glad it's working now.


----------



## Nokobon (Aug 20, 2009)

Yes, I'm glad it's working now. 
Thanks!

@ironmikie:
Goot idea, I use the AllowUsers-Option of ssh, but I didn't know (or forget) that the users can even be restricted to a specific IP.
I may try that.

The advantage of login.access is that these rules apply for all login-ways(FTP,Telnet,..), not just for ssh...


----------

