RE: Login restrictions in NIS environment

richard.hobbs_at_crl.toshiba.co.uk

To: "'General Red Hat Linux discussion list'" <redhat-list@redhat.com>
Date: Thu, 9 Jun 2005 16:18:07 +0100


-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs@crl.toshiba.co.uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 
> -----Original Message-----
> From: redhat-list-bounces@redhat.com 
> [mailto:redhat-list-bounces@redhat.com] On Behalf Of Richard Hobbs
> Sent: 09 June 2005 13:24
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
> 
> Hello,
> 
> OK, this problem is not caused by my mail client, or my 
> client machine. Our
> test machine is actually refusing logins via IMAP after some time.
> 
> It has been working perfectly for about 2 hours, but just now 
> it has stopped
> accepting logins via IMAP from the "monitoring" user account again.
> 
> Has anyone seen this bug before? Do you know if a later 
> version of something
> fixes the problem?
> 
> Thanks again,
> Hobbs.
> 
> -- 
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard.hobbs@crl.toshiba.co.uk
> Tel: +44 1223 376964        Mobile: +44 7811 803377 
> 
> > -----Original Message-----
> > From: redhat-list-bounces@redhat.com 
> > [mailto:redhat-list-bounces@redhat.com] On Behalf Of Richard Hobbs
> > Sent: 09 June 2005 10:58
> > To: 'General Red Hat Linux discussion list'
> > Subject: RE: Login restrictions in NIS environment
> > 
> > Hello,
> > 
> > Apologies to all... My mail client and the machine it was on 
> > actually needed
> > rebooting for some reason... IMAP authenticates perfectly now :-)
> > 
> > Thanks to all who have helped!! Here's a summary of what I 
> > required, and
> > what I have done to get it:
> > 
> > Requirements:
> > 
> > "root" can only log in from certain machines, and is banned 
> > from all others
> > except LOCAL.
> > "rhobbs", "nbaker" and "monitoring" can log in from any machine.
> > All other users cannot login from anywhere except LOCAL.
> > 
> > Resolution:
> > 
> > 1. Add the following line to "/etc/pam.d/system-auth":
> >      account     required      /lib/security/pam_access.so
> > 
> > 2. Add the following lines to "/etc/security/access.conf":
> >      +:root:stg2.crl.toshiba.co.uk stg-mkc5win.crl.toshiba.co.uk
> >      -:root:ALL EXCEPT LOCAL
> >      +:monitoring rhobbs nbaker:ALL
> >      -:ALL:ALL EXCEPT LOCAL
> > 
> > It seems to work perfectly! :-)
> > 
> > Thanks again people!
> > 
> > Hobbs.
> > 
> > -- 
> > Richard Hobbs (Systems Administrator)
> > Toshiba Research Europe Ltd. - Speech Technology Group
> > Web: http://www.toshiba-europe.com/research/
> > Email: richard.hobbs@crl.toshiba.co.uk
> > Tel: +44 1223 376964        Mobile: +44 7811 803377 
> > 
> > > -----Original Message-----
> > > From: redhat-list-bounces@redhat.com 
> > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of Richard Hobbs
> > > Sent: 09 June 2005 09:15
> > > To: 'General Red Hat Linux discussion list'
> > > Subject: RE: Login restrictions in NIS environment
> > > 
> > > Hello,
> > > 
> > > Change of plan actually... Even commenting out that line in
> > > "/etc/pam.d/system-auth" doesn't make a difference... I still 
> > > cannot login
> > > via IMAP.
> > > 
> > > Thanks again for any suggestions.
> > > 
> > > Hobbs.
> > > 
> > > -- 
> > > Richard Hobbs (Systems Administrator)
> > > Toshiba Research Europe Ltd. - Speech Technology Group
> > > Web: http://www.toshiba-europe.com/research/
> > > Email: richard.hobbs@crl.toshiba.co.uk
> > > Tel: +44 1223 376964        Mobile: +44 7811 803377 
> > > 
> > > > -----Original Message-----
> > > > From: redhat-list-bounces@redhat.com 
> > > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of 
> Richard Hobbs
> > > > Sent: 09 June 2005 08:56
> > > > To: 'General Red Hat Linux discussion list'
> > > > Subject: RE: Login restrictions in NIS environment
> > > > 
> > > > Hello,
> > > > 
> > > > Thanks for all the help on this people :-) It's very much 
> > > appreciated.
> > > > 
> > > > I am now closer to a solution, but have a slightly different 
> > > > problem. IMAP
> > > > logins are restricted - I shall explain my situation.
> > > > 
> > > > The relevant files now look like this:
> > > > 
> > > > /etc/pam.d/imap:
> > > > auth       required     /lib/security/pam_stack.so 
> > > service=system-auth
> > > > account    required     /lib/security/pam_stack.so 
> > > service=system-auth
> > > > 
> > > > /etc/pam.d/login:
> > > > auth       required     /lib/security/pam_securetty.so
> > > > auth       required     /lib/security/pam_stack.so 
> > > service=system-auth
> > > > auth       required     /lib/security/pam_nologin.so
> > > > account    required     /lib/security/pam_stack.so 
> > > service=system-auth
> > > > password   required     /lib/security/pam_stack.so 
> > > service=system-auth
> > > > session    required     /lib/security/pam_stack.so 
> > > service=system-auth
> > > > session    optional     /lib/security/pam_console.so
> > > > 
> > > > /etc/security/access.conf:
> > > > +:root:192.168.0.2
> > > > -:root:ALL EXCEPT LOCAL
> > > > +:monitoring rhobbs nbaker:ALL
> > > > -:ALL:ALL EXCEPT LOCAL
> > > > 
> > > > /etc/pam.d/system-auth:
> > > > auth        required      /lib/security/pam_env.so
> > > > auth        sufficient    /lib/security/pam_unix.so 
> > likeauth nullok
> > > > auth        required      /lib/security/pam_deny.so
> > > > account     required      /lib/security/pam_unix.so
> > > > account     required      /lib/security/pam_access.so
> > > > password    required      /lib/security/pam_cracklib.so 
> > > retry=3 type=
> > > > password    sufficient    /lib/security/pam_unix.so nullok 
> > > > use_authtok md5
> > > > shadow nis
> > > > password    required      /lib/security/pam_deny.so
> > > > session     required      /lib/security/pam_limits.so
> > > > session     required      /lib/security/pam_unix.so
> > > > 
> > > > So, as you can see, both login and IMAP both use system-auth 
> > > > for "account".
> > > > 
> > > > "access.conf" allows root to login from 192.168.0.2 and 
> > > denies it from
> > > > everywhere else except LOCAL. It also allows "monitoring", 
> > > > "rhobbs" and
> > > > "nbaker" to login from anywhere, but then denies everyone 
> > else from
> > > > everywhere except LOCAL. This seems to work fine.
> > > > 
> > > > However, the user "monitoring" can not login via IMAP unless 
> > > > the following
> > > > line is commented out of "/etc/pam.d/system-auth":
> > > > 
> > > >      account     required      /lib/security/pam_access.so
> > > > 
> > > > Do you know why this is?? How can I fix it? Will any other 
> > > > issues arrise
> > > > like this which we won't notice until they are tested?
> > > > 
> > > > Thanks again,
> > > > Hobbs.
> > > > 
> > > > -- 
> > > > Richard Hobbs (Systems Administrator)
> > > > Toshiba Research Europe Ltd. - Speech Technology Group
> > > > Web: http://www.toshiba-europe.com/research/
> > > > Email: richard.hobbs@crl.toshiba.co.uk
> > > > Tel: +44 1223 376964        Mobile: +44 7811 803377 
> > > > 
> > > > > -----Original Message-----
> > > > > From: redhat-list-bounces@redhat.com 
> > > > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of 
> > James Cooley
> > > > > Sent: 08 June 2005 20:26
> > > > > To: General Red Hat Linux discussion list
> > > > > Subject: Re: Login restrictions in NIS environment
> > > > > 
> > > > > try:
> > > > > 
> > > > > +:root:192.168.0.2
> > > > > -:root:ALL EXCEPT LOCAL
> > > > > 
> > > > > Alternatively, since the rules are on a 'first match 
> > > wins' basis you
> > > > > could set all of your allowed accesses first ( with + 
> > > > signs).  At the
> > > > > end of the file, you can put:
> > > > > 
> > > > > -:ALL:ALL
> > > > > 
> > > > > which will deny everyone else.
> > > > > 
> > > > > --James Cooley
> > > > > 
> > > > > 
> > > > > 
> > > > > Richard Hobbs wrote:
> > > > > 
> > > > > >Hello,
> > > > > >
> > > > > >OK, I have now made the following changes:
> > > > > >
> > > > > >
> > > > > >1. Put the system back to how it was before I 
> started all this.
> > > > > >
> > > > > >
> > > > > >2. Add the following line into "/etc/pam.d/system-auth":
> > > > > >     account    required     /lib/security/pam_access.so
> > > > > >
> > > > > >
> > > > > >3. Add the following line into "/etc/security/access.conf":
> > > > > >     -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> > > > > >
> > > > > >
> > > > > >It now works perfectly! Everyone is banned from remotely 
> > > > > logging into the
> > > > > >system except rhobbs, nbaker and root!
> > > > > >
> > > > > >I need to make one more change though... And it doesn't seem 
> > > > > to work. I need
> > > > > >to ban root from logging in remotely except from certain IP 
> > > > > addresses.
> > > > > >
> > > > > >I have tried the following, but it does not allow root to 
> > > > > login even from
> > > > > >that IP address:
> > > > > >
> > > > > >     -:ALL EXCEPT rhobbs nbaker root@192.168.0.2:ALL 
> > EXCEPT LOCAL
> > > > > >
> > > > > >I have also tried using the hostname, and 
> > > > > hostname.domain.co.uk instead of
> > > > > >the IP address, but root still cannot log in from that host.
> > > > > >
> > > > > >Do you know how I can ban everyone from logging in remotely, 
> > > > > except for a
> > > > > >few users, and how I can ban root from logging in from any 
> > > > > machine except
> > > > > >particular ones?
> > > > > >
> > > > > >Thanks again, this is incredibly useful and massively 
> > > > appreciated :-)
> > > > > >
> > > > > >Richard.
> > > > > >
> > > > > >  
> > > > > >
> > > > > 
> > > > > 
> > > > > -- 
> > > > > --
> > > > > James Cooley
> > > > > Sr. Systems Analyst
> > > > > Information Technology
> > > > > Florida Tech
> > > > > 321-674-7999
> > > > > jcooley@it.fit.edu
> > > > > 
> > > > > -- 
> > > > > redhat-list mailing list
> > > > > unsubscribe 
> > > > mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > > 
> > > > > 
> > > > 
> > > 
> > 
> _____________________________________________________________________
> > > > > This e-mail has been scanned for viruses by MCI's Internet 
> > > > > Managed Scanning Services - powered by MessageLabs. For 
> > > > > further information visit http://www.mci.com
> > > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > 
> _____________________________________________________________________
> > > > This e-mail has been scanned for viruses by MCI's Internet 
> > > > Managed Scanning Services - powered by MessageLabs. For 
> > > > further information visit http://www.mci.com
> > > > 
> > > > -- 
> > > > redhat-list mailing list
> > > > unsubscribe 
> > > mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > 
> > > > 
> > > 
> > 
> _____________________________________________________________________
> > > > This e-mail has been scanned for viruses by MCI's Internet 
> > > > Managed Scanning Services - powered by MessageLabs. For 
> > > > further information visit http://www.mci.com
> > > > 
> > > 
> > > 
> > > 
> > > 
> > 
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet 
> > > Managed Scanning Services - powered by MessageLabs. For 
> > > further information visit http://www.mci.com
> > > 
> > > -- 
> > > redhat-list mailing list
> > > unsubscribe 
> > mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > 
> > > 
> > 
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet 
> > > Managed Scanning Services - powered by MessageLabs. For 
> > > further information visit http://www.mci.com
> > > 
> > 
> > 
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> > 
> 
> 
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

RE: Login restrictions in NIS environment

Relevant Pages