Using PAM to allow access#
Over the years PAM (Pluggable Authentication Module) has become the standard on Solaris and Linux, and others like AIX and the known BSDs are following. But by default, all services that use PAM are allowing all users to use it unless the service itself takes action. So why not bring the authorization part to PAM and make the decision to allow access directly in PAM?
In this example, we want to allow only access to Dovecot for users who are members of POSIX-group ac_mail. For this, we use a module called pam_succeed_if which can verify if a user is in a certain group or not. Based on the standard PAM file for a service, we create a new file for Dovecot and added the required line to do the authentication.
#%PAM-1.0
@include common-auth
auth required pam_succeed_if.so quiet user ingroup ac_mail
@include common-account
@include common-session
Also changing the Dovecot configuration to tell it to use the dovecot PAM file.
passdb pam {
args = session=yes dovecot
}
Now only users who are members of the ac_mail group can log in. This allows a system administrator to use LDAP for example so all machines have the same group information and all machines with the modified PAM configuration to use it. This way of allowing users to log on can also be used for other services that depend on PAM like Proftpd, OpenSSH, or PostgreSQL for example.