Using PAM to allow access

Over the years PAM (Pluggable Authentication Modules) has become the standard on Solaris and Linux, and others like AIX and the known BSD’s are following. But by default all services that use PAM are allowing all users to use it unless the service itself takes action. So why not bring the authorization part to PAM and make the decision to allow access directly in PAM?

In this example we want to allow only access to Dovecot for users who are member of POSIX-group ac_mail. For this we use a module called pam_succeed_if which can verify if an user is in a certain group or not. Based on the standard PAM-file for a service we create a new file for Dovecot and added required line to do the authentication.

@include common-auth
auth required quiet user ingroup ac_mail
@include common-account
@include common-session

Also changing the Dovecot configuration to tell it to use the dovecot PAM-file.

passdb pam {
  args = session=yes dovecot

Now only users who are member of the ac_mail group can logon. This allows a system administrator to use LDAP for example so all machines have the same group information and all machines with the modified PAM configuration to use it. This way of allowing users to logon can also be used for other services that depend on PAM like Proftpd, OpenSSH or PostgreSQL for example.