LFCS Question #418: Real Exam Question with Answer & Explanation

Question

The system administrator wishes to use the pam_listfile.so module to restrict which users are allowed to login via SSH. Which line will configure this behaviour?

Options

• Aauth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed
• Bauth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=succeed
• Cauth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail
• Dauth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=fail

Explanation

To restrict SSH logins to specific users via pam_listfile.so, the configuration must explicitly allow users listed in a file and ensure failure if the file is unreadable.

Common mistakes.

• A. sense=deny would prevent listed users from logging in, which is the opposite of the desired 'restrict which users are allowed' (implying a whitelist); onerr=succeed is also a security risk, allowing access if the file is missing or unreadable.
• B. While sense=allow is correct, onerr=succeed is a security risk as it would allow all users to log in if the allow file is missing or unreadable, compromising the restriction.
• D. sense=deny would block listed users, not allow only a specified list; while onerr=fail is generally more secure, the sense parameter is incorrect for an allowlist.

Concept tested. PAM pam_listfile.so configuration

Reference. https://manpages.debian.org/unstable/libpam-doc/pam_listfile.8.en.html

No community discussion yet for this question.