Restrict local users of cockpit (Linux server management tool)

cockpit uses PAM (8) to authenticate local users. PAM imposes user / group / IP restrictions in access.conf (5), which can be used to limit the users who can log in to cockpit.

PAM settings

When you install it, /etc/pam.d/cockpit is created. Edit with a suitable editor and add a line for pam_access.so. ʻAccessfile = path / to / access.configis not required. If not specified,/etc/security/access.conf` will be used.

/etc/pam.d/cockpit

#%PAM-1.0
# this MUST be first in the "auth" stack as it sets PAM_USER
# user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code
-auth      [success=done new_authtok_reqd=done user_unknown=die default=ignore]   pam_cockpit_cert.so
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
auth       optional     pam_ssh_add.so
account    required     pam_nologin.so
account    required     pam_access.so accessfile=/etc/security/cockpit_access.conf ★ Add this line
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    optional     pam_ssh_add.so
session    include      password-auth
session    include      postlogin

The place to add must precede ʻaccount include password-auth. If this order is reversed, the password-auth read by ʻaccount include password-auth contains a sufficient line, so the restrictions written after that will not be evaluated if the authentication is successful there. Hmm.

Access.conf settings

Prepare the file in the format of access.conf (5) in the path specified in accessfile. For example, if you want to create a cockpit group so that only users in that group can log in:

/etc/security/cockpit_access.conf

-:ALL EXCEPT (cockpit):LOCAL

Write in <permission>: <user or group>: <access> --<permission> is either'-'(permit) or - (deny) --user or group name, ALL represents all users or all groups, EXCEPT specifies exclusions for subsequent user groups --Is it better to add () for group? --ʻALL EXCEPT (cockpit) is for all users except those who belong to cockpit --` is the access source --In the case of cockpit, only LOCAL is used (?)

Verification

Try logging in and get Permission Denied to succeed