Re: Login restrictions in NIS environment

From: James Cooley (jcooley_at_fit.edu)
Date: 06/08/05

  • Next message: Ed Wilts: "Re: redistribute sudo from disks"
    Date: Wed, 08 Jun 2005 10:33:01 -0400
    To: General Red Hat Linux discussion list <redhat-list@redhat.com>
    
    

    You can prevent the SSH login by adding pam_access to
    /etc/pam.d/system-auth instead of /etc/pam.d/login. The system-auth
    stack is called by both login and ssh access.

    As for su, there really isn't any way that I know of to prevent that,
    except by not making the user available in nis.

    --James Cooley

    Richard Hobbs wrote:

    >Hello,
    >
    >OK, I now have a partly working solution... It disallows me from logging in
    >directly on the console, and it still allows everyone else access. I am
    >using James Cooley's suggestion of pam_access.
    >
    >However, if I log in as root and 'su' to myself, it allows it, and if I SSH
    >into the machine as myself it allows it.
    >
    >How can I stop my account from logging in via SSH as well using this method?
    >
    >Here are the files from our test machine:
    >
    >/etc/pam.d/login:
    >#%PAM-1.0
    >auth required /lib/security/pam_securetty.so
    >auth required /lib/security/pam_stack.so service=system-auth
    >auth required /lib/security/pam_nologin.so
    >account required /lib/security/pam_stack.so service=system-auth
    >password required /lib/security/pam_stack.so service=system-auth
    >session required /lib/security/pam_stack.so service=system-auth
    >session optional /lib/security/pam_console.so
    >account required /lib/security/pam_access.so
    >
    >/etc/pam.d/rlogin:
    >#%PAM-1.0
    >account required /lib/security/pam_access.so
    >
    >/etc/pam.d/rsh:
    >#%PAM-1.0
    >account required /lib/security/pam_access.so
    >
    >/etc/pam.d/ftp:
    >#%PAM-1.0
    >account required /lib/security/pam_access.so
    >
    >I had to create "rlogin", "rsh" and "ftp" because they did not exist.
    >
    >I also added the extra "account" line to the bottom of "login" as requested,
    >but is there something wrong with this file which is allowing me to log in
    >remotely and via 'su' ?
    >
    >Thanks again,
    >Richard.
    >
    >
    >

    -- 
    --
    James Cooley
    Sr. Systems Analyst
    Information Technology
    Florida Tech
    321-674-7999
    jcooley@it.fit.edu
    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: Ed Wilts: "Re: redistribute sudo from disks"

    Relevant Pages