Adding one line to restrict access to systems user when nologin file is created

a0853d76 · Gin Tan (Monash University) · 08735a21 · a0853d76 · a0853d76
Commit a0853d76 authored 6 years ago by Gin Tan (Monash University)
--- a/roles/pam_sshd/tasks/main.yml
+++ b/roles/pam_sshd/tasks/main.yml
+- name: "Copy password sshd pam config"
+  template: src=sshd.j2 dest=/etc/pam.d/sshd
+  become: true
+  become_user: root
+
--- a/roles/pam_sshd/templates/sshd.j2
+++ b/roles/pam_sshd/templates/sshd.j2
+#%PAM-1.0
+auth	   required	pam_sepermit.so
+auth       substack     password-auth
+auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup systems
+account    required     pam_nologin.so
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      password-auth
+session    include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare