UIDs not listed in users.allow can login with SSH stored keys on AIX system using LAM
System was using LAM authentication. QAS was never being checked.
RESOLUTION:
1 - Run the following command:
/opt/quest/bin/vastool configure vas nss_vas check-host-access true
This command will edit /etc/opt/quest/vas/vas.conf file and set the check-host-access setting under the nss_vas module.
ADDITIONAL INFORMATION:
FROM MAN VAS.CONF PAGE:
By default, nss_vas does not perform any host access checking for performance reasons, since it is already performed by pam_vas. However, there are cases where applications completely bypass the PAM stack during authentication. If there are applications that behave this way, the QAS access controls in /etc/opt/quest/vas/users.allow
and /etc/opt/quest/vas/users.deny
can still be applied. By settings this option to true, nss_vas will apply the access check to users in the getpw* family of functions, which are getpwnam()
, getpwuid
, and getpwent()
. If the user is denied access according to the configured access rules, then the user's pw_shell field in the resulting passwd struct will be set to /bin/false
. This shell can be overridden with the access-denied-shell
. You may need to restart some services in order to make this change take affect.
Note that you do not need to use this option to do access control checking for applications that do not call pam_authenticate()
but do call pam_open_session
. For applications like this, ssh with gssapi or keys, use the do_access_check
option for the session configuration of pam_vas.
Finally, note that enabling this option will impact the performance of the getpw* function calls, due to the extra processing that must occur for each call. Only turn this option on after verifying that the performance impact does not severely impact your environment. Also, it is not possible to use service specific access control files -- only the default users.allow and users.deny files will be used.
The following example shows how to turn on access control checks from nss_vas.
[nss_vas] check-host-access = true
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center