use pam_acccess only for /etc/pam.d/login

remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"
2025-07-13 17:29:47 +07:00 · 2019-12-12 09:00:08 -05:00
parent 22b6480bc4
commit 729fa26eca
4 changed files with 25 additions and 50 deletions
--- a/usr/lib/security-misc/pam_only_if_login
+++ b/usr/lib/security-misc/pam_only_if_login
@ -0,0 +1,21 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
+
+set -x
+
+true "PAM_SERVICE: $PAM_SERVICE"
+
+if [ "$PAM_SERVICE" = "login" ]; then
+   ## FIXME:
+   ## Creates unwanted journal log entry.
+   ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1
+   exit 1
+else
+   ## exit success so [success=1 default=ignore] will result in skipping the
+   ## next pam module.
+   exit 0
+fi
--- a/usr/share/pam-configs/console-lockdown-security-misc
+++ b/usr/share/pam-configs/console-lockdown-security-misc
@ -1,6 +1,7 @@
-Name: allow only members of group console / ssh to login/incoming ssh (by package security-misc)
+Name: allow only members of group console to use login (by package security-misc)
 Default: no
 Priority: 280
 Account-Type: Primary
 Account:
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_only_if_login
 	required	pam_access.so accessfile=/etc/security/access-security-misc.conf debug