RE: Login restrictions in NIS environment

From: Richard Hobbs (richard.hobbs_at_crl.toshiba.co.uk)
Date: 06/08/05

  • Next message: James Cooley: "Re: Login restrictions in NIS environment"
    To: "'General Red Hat Linux discussion list'" <redhat-list@redhat.com>
    Date: Wed, 8 Jun 2005 16:50:06 +0100
    
    

    Hello,

    OK, I have now made the following changes:

    1. Put the system back to how it was before I started all this.

    2. Add the following line into "/etc/pam.d/system-auth":
         account required /lib/security/pam_access.so

    3. Add the following line into "/etc/security/access.conf":
         -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL

    It now works perfectly! Everyone is banned from remotely logging into the
    system except rhobbs, nbaker and root!

    I need to make one more change though... And it doesn't seem to work. I need
    to ban root from logging in remotely except from certain IP addresses.

    I have tried the following, but it does not allow root to login even from
    that IP address:

         -:ALL EXCEPT rhobbs nbaker root@192.168.0.2:ALL EXCEPT LOCAL

    I have also tried using the hostname, and hostname.domain.co.uk instead of
    the IP address, but root still cannot log in from that host.

    Do you know how I can ban everyone from logging in remotely, except for a
    few users, and how I can ban root from logging in from any machine except
    particular ones?

    Thanks again, this is incredibly useful and massively appreciated :-)

    Richard.

    -- 
    Richard Hobbs (Systems Administrator)
    Toshiba Research Europe Ltd. - Speech Technology Group
    Web: http://www.toshiba-europe.com/research/
    Email: richard.hobbs@crl.toshiba.co.uk
    Tel: +44 1223 376964        Mobile: +44 7811 803377 
    > -----Original Message-----
    > From: redhat-list-bounces@redhat.com 
    > [mailto:redhat-list-bounces@redhat.com] On Behalf Of James Cooley
    > Sent: 08 June 2005 15:33
    > To: General Red Hat Linux discussion list
    > Subject: Re: Login restrictions in NIS environment
    > 
    > You can prevent the SSH login by adding pam_access to
    > /etc/pam.d/system-auth   instead of /etc/pam.d/login.   The 
    > system-auth
    > stack is called by both login and ssh access. 
    > 
    > As for su, there really isn't any way that I know of to prevent that,
    > except by not making the user available in nis.
    > 
    > --James Cooley
    > 
    > 
    > Richard Hobbs wrote:
    > 
    > >Hello,
    > >
    > >OK, I now have a partly working solution... It disallows me 
    > from logging in
    > >directly on the console, and it still allows everyone else 
    > access. I am
    > >using James Cooley's suggestion of pam_access.
    > >
    > >However, if I log in as root and 'su' to myself, it allows 
    > it, and if I SSH
    > >into the machine as myself it allows it.
    > >
    > >How can I stop my account from logging in via SSH as well 
    > using this method?
    > >
    > >Here are the files from our test machine:
    > >
    > >/etc/pam.d/login:
    > >#%PAM-1.0
    > >auth       required     /lib/security/pam_securetty.so
    > >auth       required     /lib/security/pam_stack.so 
    > service=system-auth
    > >auth       required     /lib/security/pam_nologin.so
    > >account    required     /lib/security/pam_stack.so 
    > service=system-auth
    > >password   required     /lib/security/pam_stack.so 
    > service=system-auth
    > >session    required     /lib/security/pam_stack.so 
    > service=system-auth
    > >session    optional     /lib/security/pam_console.so
    > >account    required     /lib/security/pam_access.so
    > >
    > >/etc/pam.d/rlogin:
    > >#%PAM-1.0
    > >account    required     /lib/security/pam_access.so
    > >
    > >/etc/pam.d/rsh:
    > >#%PAM-1.0
    > >account    required     /lib/security/pam_access.so
    > >
    > >/etc/pam.d/ftp:
    > >#%PAM-1.0
    > >account    required     /lib/security/pam_access.so
    > >
    > >I had to create "rlogin", "rsh" and "ftp" because they did not exist.
    > >
    > >I also added the extra "account" line to the bottom of 
    > "login" as requested,
    > >but is there something wrong with this file which is 
    > allowing me to log in
    > >remotely and via 'su' ?
    > >
    > >Thanks again,
    > >Richard.
    > >
    > >  
    > >
    > 
    > 
    > -- 
    > --
    > James Cooley
    > Sr. Systems Analyst
    > Information Technology
    > Florida Tech
    > 321-674-7999
    > jcooley@it.fit.edu
    > 
    > -- 
    > redhat-list mailing list
    > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > https://www.redhat.com/mailman/listinfo/redhat-list
    > 
    > _____________________________________________________________________
    > This e-mail has been scanned for viruses by MCI's Internet 
    > Managed Scanning Services - powered by MessageLabs. For 
    > further information visit http://www.mci.com
    > 
    _____________________________________________________________________
    This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: James Cooley: "Re: Login restrictions in NIS environment"

    Relevant Pages

    • RE: Login restrictions in NIS environment
      ... Login restrictions in NIS environment ... need to ban root from logging in remotely except from certain IP ... but it does not allow root to login even ...
      (RedHat)
    • Re: BSM, SSH, and Session ID
      ... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ...
      (Focus-SUN)
    • Re: telnet as root question
      ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ...
      (comp.os.linux.security)
    • RE: Login restrictions in NIS environment
      ... So, as you can see, both login and IMAP both use system-auth for "account". ... "access.conf" allows root to login from 192.168.0.2 and denies it from ... >>to ban root from logging in remotely except from certain IP ...
      (RedHat)
    • Re: BSM, SSH, and Session ID
      ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ...
      (Focus-SUN)