RE: Login restrictions in NIS environment
From: Richard Hobbs (richard.hobbs_at_crl.toshiba.co.uk)
Date: 06/09/05
- Previous message: Richard Hobbs: "RE: Login restrictions in NIS environment"
- In reply to: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Next in thread: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Reply: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "'General Red Hat Linux discussion list'" <redhat-list@redhat.com> Date: Thu, 9 Jun 2005 10:57:57 +0100
Hello,
Apologies to all... My mail client and the machine it was on actually needed
rebooting for some reason... IMAP authenticates perfectly now :-)
Thanks to all who have helped!! Here's a summary of what I required, and
what I have done to get it:
Requirements:
"root" can only log in from certain machines, and is banned from all others
except LOCAL.
"rhobbs", "nbaker" and "monitoring" can log in from any machine.
All other users cannot login from anywhere except LOCAL.
Resolution:
1. Add the following line to "/etc/pam.d/system-auth":
account required /lib/security/pam_access.so
2. Add the following lines to "/etc/security/access.conf":
+:root:stg2.crl.toshiba.co.uk stg-mkc5win.crl.toshiba.co.uk
-:root:ALL EXCEPT LOCAL
+:monitoring rhobbs nbaker:ALL
-:ALL:ALL EXCEPT LOCAL
It seems to work perfectly! :-)
Thanks again people!
Hobbs.
-- Richard Hobbs (Systems Administrator) Toshiba Research Europe Ltd. - Speech Technology Group Web: http://www.toshiba-europe.com/research/ Email: richard.hobbs@crl.toshiba.co.uk Tel: +44 1223 376964 Mobile: +44 7811 803377 > -----Original Message----- > From: redhat-list-bounces@redhat.com > [mailto:redhat-list-bounces@redhat.com] On Behalf Of Richard Hobbs > Sent: 09 June 2005 09:15 > To: 'General Red Hat Linux discussion list' > Subject: RE: Login restrictions in NIS environment > > Hello, > > Change of plan actually... Even commenting out that line in > "/etc/pam.d/system-auth" doesn't make a difference... I still > cannot login > via IMAP. > > Thanks again for any suggestions. > > Hobbs. > > -- > Richard Hobbs (Systems Administrator) > Toshiba Research Europe Ltd. - Speech Technology Group > Web: http://www.toshiba-europe.com/research/ > Email: richard.hobbs@crl.toshiba.co.uk > Tel: +44 1223 376964 Mobile: +44 7811 803377 > > > -----Original Message----- > > From: redhat-list-bounces@redhat.com > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of Richard Hobbs > > Sent: 09 June 2005 08:56 > > To: 'General Red Hat Linux discussion list' > > Subject: RE: Login restrictions in NIS environment > > > > Hello, > > > > Thanks for all the help on this people :-) It's very much > appreciated. > > > > I am now closer to a solution, but have a slightly different > > problem. IMAP > > logins are restricted - I shall explain my situation. > > > > The relevant files now look like this: > > > > /etc/pam.d/imap: > > auth required /lib/security/pam_stack.so > service=system-auth > > account required /lib/security/pam_stack.so > service=system-auth > > > > /etc/pam.d/login: > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_stack.so > service=system-auth > > auth required /lib/security/pam_nologin.so > > account required /lib/security/pam_stack.so > service=system-auth > > password required /lib/security/pam_stack.so > service=system-auth > > session required /lib/security/pam_stack.so > service=system-auth > > session optional /lib/security/pam_console.so > > > > /etc/security/access.conf: > > +:root:192.168.0.2 > > -:root:ALL EXCEPT LOCAL > > +:monitoring rhobbs nbaker:ALL > > -:ALL:ALL EXCEPT LOCAL > > > > /etc/pam.d/system-auth: > > auth required /lib/security/pam_env.so > > auth sufficient /lib/security/pam_unix.so likeauth nullok > > auth required /lib/security/pam_deny.so > > account required /lib/security/pam_unix.so > > account required /lib/security/pam_access.so > > password required /lib/security/pam_cracklib.so > retry=3 type= > > password sufficient /lib/security/pam_unix.so nullok > > use_authtok md5 > > shadow nis > > password required /lib/security/pam_deny.so > > session required /lib/security/pam_limits.so > > session required /lib/security/pam_unix.so > > > > So, as you can see, both login and IMAP both use system-auth > > for "account". > > > > "access.conf" allows root to login from 192.168.0.2 and > denies it from > > everywhere else except LOCAL. It also allows "monitoring", > > "rhobbs" and > > "nbaker" to login from anywhere, but then denies everyone else from > > everywhere except LOCAL. This seems to work fine. > > > > However, the user "monitoring" can not login via IMAP unless > > the following > > line is commented out of "/etc/pam.d/system-auth": > > > > account required /lib/security/pam_access.so > > > > Do you know why this is?? How can I fix it? Will any other > > issues arrise > > like this which we won't notice until they are tested? > > > > Thanks again, > > Hobbs. > > > > -- > > Richard Hobbs (Systems Administrator) > > Toshiba Research Europe Ltd. - Speech Technology Group > > Web: http://www.toshiba-europe.com/research/ > > Email: richard.hobbs@crl.toshiba.co.uk > > Tel: +44 1223 376964 Mobile: +44 7811 803377 > > > > > -----Original Message----- > > > From: redhat-list-bounces@redhat.com > > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of James Cooley > > > Sent: 08 June 2005 20:26 > > > To: General Red Hat Linux discussion list > > > Subject: Re: Login restrictions in NIS environment > > > > > > try: > > > > > > +:root:192.168.0.2 > > > -:root:ALL EXCEPT LOCAL > > > > > > Alternatively, since the rules are on a 'first match > wins' basis you > > > could set all of your allowed accesses first ( with + > > signs). At the > > > end of the file, you can put: > > > > > > -:ALL:ALL > > > > > > which will deny everyone else. > > > > > > --James Cooley > > > > > > > > > > > > Richard Hobbs wrote: > > > > > > >Hello, > > > > > > > >OK, I have now made the following changes: > > > > > > > > > > > >1. Put the system back to how it was before I started all this. > > > > > > > > > > > >2. Add the following line into "/etc/pam.d/system-auth": > > > > account required /lib/security/pam_access.so > > > > > > > > > > > >3. Add the following line into "/etc/security/access.conf": > > > > -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL > > > > > > > > > > > >It now works perfectly! Everyone is banned from remotely > > > logging into the > > > >system except rhobbs, nbaker and root! > > > > > > > >I need to make one more change though... And it doesn't seem > > > to work. I need > > > >to ban root from logging in remotely except from certain IP > > > addresses. > > > > > > > >I have tried the following, but it does not allow root to > > > login even from > > > >that IP address: > > > > > > > > -:ALL EXCEPT rhobbs nbaker root@192.168.0.2:ALL EXCEPT LOCAL > > > > > > > >I have also tried using the hostname, and > > > hostname.domain.co.uk instead of > > > >the IP address, but root still cannot log in from that host. > > > > > > > >Do you know how I can ban everyone from logging in remotely, > > > except for a > > > >few users, and how I can ban root from logging in from any > > > machine except > > > >particular ones? > > > > > > > >Thanks again, this is incredibly useful and massively > > appreciated :-) > > > > > > > >Richard. > > > > > > > > > > > > > > > > > > > > > -- > > > -- > > > James Cooley > > > Sr. Systems Analyst > > > Information Technology > > > Florida Tech > > > 321-674-7999 > > > jcooley@it.fit.edu > > > > > > -- > > > redhat-list mailing list > > > unsubscribe > > mailto:redhat-list-request@redhat.com?subject=unsubscribe > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > _____________________________________________________________________ > > > This e-mail has been scanned for viruses by MCI's Internet > > > Managed Scanning Services - powered by MessageLabs. For > > > further information visit http://www.mci.com > > > > > > > > > > > > _____________________________________________________________________ > > This e-mail has been scanned for viruses by MCI's Internet > > Managed Scanning Services - powered by MessageLabs. For > > further information visit http://www.mci.com > > > > -- > > redhat-list mailing list > > unsubscribe > mailto:redhat-list-request@redhat.com?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > _____________________________________________________________________ > > This e-mail has been scanned for viruses by MCI's Internet > > Managed Scanning Services - powered by MessageLabs. For > > further information visit http://www.mci.com > > > > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Richard Hobbs: "RE: Login restrictions in NIS environment"
- In reply to: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Next in thread: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Reply: Richard Hobbs: "RE: Login restrictions in NIS environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
