RE: Login restrictions in NIS environment

From: Richard Hobbs (richard.hobbs_at_crl.toshiba.co.uk)
Date: 06/08/05

  • Next message: James Cooley: "Re: Login restrictions in NIS environment"
    To: "'General Red Hat Linux discussion list'" <redhat-list@redhat.com>
    Date: Wed, 8 Jun 2005 16:50:06 +0100
    
    

    Hello,

    OK, I have now made the following changes:

    1. Put the system back to how it was before I started all this.

    2. Add the following line into "/etc/pam.d/system-auth":
         account required /lib/security/pam_access.so

    3. Add the following line into "/etc/security/access.conf":
         -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL

    It now works perfectly! Everyone is banned from remotely logging into the
    system except rhobbs, nbaker and root!

    I need to make one more change though... And it doesn't seem to work. I need
    to ban root from logging in remotely except from certain IP addresses.

    I have tried the following, but it does not allow root to login even from
    that IP address:

         -:ALL EXCEPT rhobbs nbaker root@192.168.0.2:ALL EXCEPT LOCAL

    I have also tried using the hostname, and hostname.domain.co.uk instead of
    the IP address, but root still cannot log in from that host.

    Do you know how I can ban everyone from logging in remotely, except for a
    few users, and how I can ban root from logging in from any machine except
    particular ones?

    Thanks again, this is incredibly useful and massively appreciated :-)

    Richard.

    -- 
    Richard Hobbs (Systems Administrator)
    Toshiba Research Europe Ltd. - Speech Technology Group
    Web: http://www.toshiba-europe.com/research/
    Email: richard.hobbs@crl.toshiba.co.uk
    Tel: +44 1223 376964        Mobile: +44 7811 803377 
    > -----Original Message-----
    > From: redhat-list-bounces@redhat.com 
    > [mailto:redhat-list-bounces@redhat.com] On Behalf Of James Cooley
    > Sent: 08 June 2005 15:33
    > To: General Red Hat Linux discussion list
    > Subject: Re: Login restrictions in NIS environment
    > 
    > You can prevent the SSH login by adding pam_access to
    > /etc/pam.d/system-auth   instead of /etc/pam.d/login.   The 
    > system-auth
    > stack is called by both login and ssh access. 
    > 
    > As for su, there really isn't any way that I know of to prevent that,
    > except by not making the user available in nis.
    > 
    > --James Cooley
    > 
    > 
    > Richard Hobbs wrote:
    > 
    > >Hello,
    > >
    > >OK, I now have a partly working solution... It disallows me 
    > from logging in
    > >directly on the console, and it still allows everyone else 
    > access. I am
    > >using James Cooley's suggestion of pam_access.
    > >
    > >However, if I log in as root and 'su' to myself, it allows 
    > it, and if I SSH
    > >into the machine as myself it allows it.
    > >
    > >How can I stop my account from logging in via SSH as well 
    > using this method?
    > >
    > >Here are the files from our test machine:
    > >
    > >/etc/pam.d/login:
    > >#%PAM-1.0
    > >auth       required     /lib/security/pam_securetty.so
    > >auth       required     /lib/security/pam_stack.so 
    > service=system-auth
    > >auth       required     /lib/security/pam_nologin.so
    > >account    required     /lib/security/pam_stack.so 
    > service=system-auth
    > >password   required     /lib/security/pam_stack.so 
    > service=system-auth
    > >session    required     /lib/security/pam_stack.so 
    > service=system-auth
    > >session    optional     /lib/security/pam_console.so
    > >account    required     /lib/security/pam_access.so
    > >
    > >/etc/pam.d/rlogin:
    > >#%PAM-1.0
    > >account    required     /lib/security/pam_access.so
    > >
    > >/etc/pam.d/rsh:
    > >#%PAM-1.0
    > >account    required     /lib/security/pam_access.so
    > >
    > >/etc/pam.d/ftp:
    > >#%PAM-1.0
    > >account    required     /lib/security/pam_access.so
    > >
    > >I had to create "rlogin", "rsh" and "ftp" because they did not exist.
    > >
    > >I also added the extra "account" line to the bottom of 
    > "login" as requested,
    > >but is there something wrong with this file which is 
    > allowing me to log in
    > >remotely and via 'su' ?
    > >
    > >Thanks again,
    > >Richard.
    > >
    > >  
    > >
    > 
    > 
    > -- 
    > --
    > James Cooley
    > Sr. Systems Analyst
    > Information Technology
    > Florida Tech
    > 321-674-7999
    > jcooley@it.fit.edu
    > 
    > -- 
    > redhat-list mailing list
    > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > https://www.redhat.com/mailman/listinfo/redhat-list
    > 
    > _____________________________________________________________________
    > This e-mail has been scanned for viruses by MCI's Internet 
    > Managed Scanning Services - powered by MessageLabs. For 
    > further information visit http://www.mci.com
    > 
    _____________________________________________________________________
    This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: James Cooley: "Re: Login restrictions in NIS environment"