RE: Login restrictions in NIS environment
From: Chiu, PCM (Peter) (P.C.M.Chiu_at_rl.ac.uk)
Date: 06/08/05
- Previous message: James Cooley: "Re: Login restrictions in NIS environment"
- Maybe in reply to: Richard Hobbs: "Login restrictions in NIS environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 8 Jun 2005 17:57:18 +0100 To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>
I would have thought in access.conf, add at the top
+:root:allowed_machine_name_or_address
-:ALL EXCEPT rhobbs nbaker
should do the trick.
Peter
-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Richard Hobbs
Sent: 08 June 2005 16:50
To: 'General Red Hat Linux discussion list'
Subject: RE: Login restrictions in NIS environment
Hello,
OK, I have now made the following changes:
1. Put the system back to how it was before I started all this.
2. Add the following line into "/etc/pam.d/system-auth":
account required /lib/security/pam_access.so
3. Add the following line into "/etc/security/access.conf":
-:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
It now works perfectly! Everyone is banned from remotely logging into
the system except rhobbs, nbaker and root!
I need to make one more change though... And it doesn't seem to work. I
need to ban root from logging in remotely except from certain IP
addresses.
I have tried the following, but it does not allow root to login even
from that IP address:
-:ALL EXCEPT rhobbs nbaker root@192.168.0.2:ALL EXCEPT LOCAL
I have also tried using the hostname, and hostname.domain.co.uk instead
of the IP address, but root still cannot log in from that host.
Do you know how I can ban everyone from logging in remotely, except for
a few users, and how I can ban root from logging in from any machine
except particular ones?
Thanks again, this is incredibly useful and massively appreciated :-)
Richard.
-- Richard Hobbs (Systems Administrator) Toshiba Research Europe Ltd. - Speech Technology Group Web: http://www.toshiba-europe.com/research/ Email: richard.hobbs@crl.toshiba.co.uk Tel: +44 1223 376964 Mobile: +44 7811 803377 > -----Original Message----- > From: redhat-list-bounces@redhat.com > [mailto:redhat-list-bounces@redhat.com] On Behalf Of James Cooley > Sent: 08 June 2005 15:33 > To: General Red Hat Linux discussion list > Subject: Re: Login restrictions in NIS environment > > You can prevent the SSH login by adding pam_access to > /etc/pam.d/system-auth instead of /etc/pam.d/login. The > system-auth > stack is called by both login and ssh access. > > As for su, there really isn't any way that I know of to prevent that, > except by not making the user available in nis. > > --James Cooley > > > Richard Hobbs wrote: > > >Hello, > > > >OK, I now have a partly working solution... It disallows me > from logging in > >directly on the console, and it still allows everyone else > access. I am > >using James Cooley's suggestion of pam_access. > > > >However, if I log in as root and 'su' to myself, it allows > it, and if I SSH > >into the machine as myself it allows it. > > > >How can I stop my account from logging in via SSH as well > using this method? > > > >Here are the files from our test machine: > > > >/etc/pam.d/login: > >#%PAM-1.0 > >auth required /lib/security/pam_securetty.so > >auth required /lib/security/pam_stack.so > service=system-auth > >auth required /lib/security/pam_nologin.so > >account required /lib/security/pam_stack.so > service=system-auth > >password required /lib/security/pam_stack.so > service=system-auth > >session required /lib/security/pam_stack.so > service=system-auth > >session optional /lib/security/pam_console.so > >account required /lib/security/pam_access.so > > > >/etc/pam.d/rlogin: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >/etc/pam.d/rsh: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >/etc/pam.d/ftp: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >I had to create "rlogin", "rsh" and "ftp" because they did not exist. > > > >I also added the extra "account" line to the bottom of > "login" as requested, > >but is there something wrong with this file which is > allowing me to log in > >remotely and via 'su' ? > > > >Thanks again, > >Richard. > > > > > > > > > -- > -- > James Cooley > Sr. Systems Analyst > Information Technology > Florida Tech > 321-674-7999 > jcooley@it.fit.edu > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: James Cooley: "Re: Login restrictions in NIS environment"
- Maybe in reply to: Richard Hobbs: "Login restrictions in NIS environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
