PAM is the default authentication mechanism in Linux. It is very flexible and powerful, and even allows you to configure different authentication options for each application. In this example we will use the PAM module "pam_listfile" which is already included in the standard package "libpam-modules".
The application name has to match the name of the file under /etc/pam.d . So for example for application "abc" you have the following PAM configuration file /etc/pam.d/abc :
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/group.allow @include common-auth @include common-account @include common-password @include common-session
The first line only authenticates users that are member of any group listed in /etc/group.allow. The contents of /etc/group.allow may only contain a single line and looks like this:
This will allow only members of the group "abc_group" to login to application "abc". After adding the new configuration files, make sure to always test your PAM settings with pamtester:
# id bob uid=1003(bob) gid=1003(bob) groups=1003(bob) # pamtester abc bob authenticate Password: pamtester: Authentication failure # usermod -aG abc_group bob # pamtester abc bob authenticate Password: pamtester: successfully authenticated
First the user "bob" is not member of the group "abc_group". pamtester fails to authenticate the user even if you provide the right password. Then after adding "bob" to the group "abc_group" authentication succeeds.