RE: Login restrictions in NIS environment
From: Richard Hobbs (richard.hobbs_at_crl.toshiba.co.uk)
To: "'General Red Hat Linux discussion list'" <email@example.com> Date: Wed, 8 Jun 2005 16:50:06 +0100
OK, I have now made the following changes:
1. Put the system back to how it was before I started all this.
2. Add the following line into "/etc/pam.d/system-auth":
account required /lib/security/pam_access.so
3. Add the following line into "/etc/security/access.conf":
-:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
It now works perfectly! Everyone is banned from remotely logging into the
system except rhobbs, nbaker and root!
I need to make one more change though... And it doesn't seem to work. I need
to ban root from logging in remotely except from certain IP addresses.
I have tried the following, but it does not allow root to login even from
that IP address:
-:ALL EXCEPT rhobbs nbaker firstname.lastname@example.org:ALL EXCEPT LOCAL
I have also tried using the hostname, and hostname.domain.co.uk instead of
the IP address, but root still cannot log in from that host.
Do you know how I can ban everyone from logging in remotely, except for a
few users, and how I can ban root from logging in from any machine except
Thanks again, this is incredibly useful and massively appreciated :-)
-- Richard Hobbs (Systems Administrator) Toshiba Research Europe Ltd. - Speech Technology Group Web: http://www.toshiba-europe.com/research/ Email: email@example.com Tel: +44 1223 376964 Mobile: +44 7811 803377 > -----Original Message----- > From: firstname.lastname@example.org > [mailto:email@example.com] On Behalf Of James Cooley > Sent: 08 June 2005 15:33 > To: General Red Hat Linux discussion list > Subject: Re: Login restrictions in NIS environment > > You can prevent the SSH login by adding pam_access to > /etc/pam.d/system-auth instead of /etc/pam.d/login. The > system-auth > stack is called by both login and ssh access. > > As for su, there really isn't any way that I know of to prevent that, > except by not making the user available in nis. > > --James Cooley > > > Richard Hobbs wrote: > > >Hello, > > > >OK, I now have a partly working solution... It disallows me > from logging in > >directly on the console, and it still allows everyone else > access. I am > >using James Cooley's suggestion of pam_access. > > > >However, if I log in as root and 'su' to myself, it allows > it, and if I SSH > >into the machine as myself it allows it. > > > >How can I stop my account from logging in via SSH as well > using this method? > > > >Here are the files from our test machine: > > > >/etc/pam.d/login: > >#%PAM-1.0 > >auth required /lib/security/pam_securetty.so > >auth required /lib/security/pam_stack.so > service=system-auth > >auth required /lib/security/pam_nologin.so > >account required /lib/security/pam_stack.so > service=system-auth > >password required /lib/security/pam_stack.so > service=system-auth > >session required /lib/security/pam_stack.so > service=system-auth > >session optional /lib/security/pam_console.so > >account required /lib/security/pam_access.so > > > >/etc/pam.d/rlogin: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >/etc/pam.d/rsh: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >/etc/pam.d/ftp: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >I had to create "rlogin", "rsh" and "ftp" because they did not exist. > > > >I also added the extra "account" line to the bottom of > "login" as requested, > >but is there something wrong with this file which is > allowing me to log in > >remotely and via 'su' ? > > > >Thanks again, > >Richard. > > > > > > > > > -- > -- > James Cooley > Sr. Systems Analyst > Information Technology > Florida Tech > 321-674-7999 > firstname.lastname@example.org > > -- > redhat-list mailing list > unsubscribe mailto:email@example.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com -- redhat-list mailing list unsubscribe mailto:firstname.lastname@example.org?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list