RE: Login restrictions in NIS environment
From: Richard Hobbs (richard.hobbs_at_crl.toshiba.co.uk)
Date: 06/09/05
- Previous message: Jay LaPrade: "Re: Anyone used an Ecrix Autopak?"
- In reply to: James Cooley: "Re: Login restrictions in NIS environment"
- Next in thread: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Reply: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "'General Red Hat Linux discussion list'" <redhat-list@redhat.com> Date: Thu, 9 Jun 2005 08:56:06 +0100
Hello,
Thanks for all the help on this people :-) It's very much appreciated.
I am now closer to a solution, but have a slightly different problem. IMAP
logins are restricted - I shall explain my situation.
The relevant files now look like this:
/etc/pam.d/imap:
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
/etc/pam.d/login:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
/etc/security/access.conf:
+:root:192.168.0.2
-:root:ALL EXCEPT LOCAL
+:monitoring rhobbs nbaker:ALL
-:ALL:ALL EXCEPT LOCAL
/etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow nis
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
So, as you can see, both login and IMAP both use system-auth for "account".
"access.conf" allows root to login from 192.168.0.2 and denies it from
everywhere else except LOCAL. It also allows "monitoring", "rhobbs" and
"nbaker" to login from anywhere, but then denies everyone else from
everywhere except LOCAL. This seems to work fine.
However, the user "monitoring" can not login via IMAP unless the following
line is commented out of "/etc/pam.d/system-auth":
account required /lib/security/pam_access.so
Do you know why this is?? How can I fix it? Will any other issues arrise
like this which we won't notice until they are tested?
Thanks again,
Hobbs.
-- Richard Hobbs (Systems Administrator) Toshiba Research Europe Ltd. - Speech Technology Group Web: http://www.toshiba-europe.com/research/ Email: richard.hobbs@crl.toshiba.co.uk Tel: +44 1223 376964 Mobile: +44 7811 803377 > -----Original Message----- > From: redhat-list-bounces@redhat.com > [mailto:redhat-list-bounces@redhat.com] On Behalf Of James Cooley > Sent: 08 June 2005 20:26 > To: General Red Hat Linux discussion list > Subject: Re: Login restrictions in NIS environment > > try: > > +:root:192.168.0.2 > -:root:ALL EXCEPT LOCAL > > Alternatively, since the rules are on a 'first match wins' basis you > could set all of your allowed accesses first ( with + signs). At the > end of the file, you can put: > > -:ALL:ALL > > which will deny everyone else. > > --James Cooley > > > > Richard Hobbs wrote: > > >Hello, > > > >OK, I have now made the following changes: > > > > > >1. Put the system back to how it was before I started all this. > > > > > >2. Add the following line into "/etc/pam.d/system-auth": > > account required /lib/security/pam_access.so > > > > > >3. Add the following line into "/etc/security/access.conf": > > -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL > > > > > >It now works perfectly! Everyone is banned from remotely > logging into the > >system except rhobbs, nbaker and root! > > > >I need to make one more change though... And it doesn't seem > to work. I need > >to ban root from logging in remotely except from certain IP > addresses. > > > >I have tried the following, but it does not allow root to > login even from > >that IP address: > > > > -:ALL EXCEPT rhobbs nbaker root@192.168.0.2:ALL EXCEPT LOCAL > > > >I have also tried using the hostname, and > hostname.domain.co.uk instead of > >the IP address, but root still cannot log in from that host. > > > >Do you know how I can ban everyone from logging in remotely, > except for a > >few users, and how I can ban root from logging in from any > machine except > >particular ones? > > > >Thanks again, this is incredibly useful and massively appreciated :-) > > > >Richard. > > > > > > > > > -- > -- > James Cooley > Sr. Systems Analyst > Information Technology > Florida Tech > 321-674-7999 > jcooley@it.fit.edu > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Jay LaPrade: "Re: Anyone used an Ecrix Autopak?"
- In reply to: James Cooley: "Re: Login restrictions in NIS environment"
- Next in thread: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Reply: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
