<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16535"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=305121622-12052010><FONT color=#0000ff
size=2 face=Arial>thanks for your advise, greatly
appreciated</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=305121622-12052010><FONT color=#0000ff
size=2 face=Arial>Michael</FONT></SPAN></DIV><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> Viswanath Kasi
[mailto:viswanath.kvg@gmail.com] <BR><B>Sent:</B> Wednesday, May 12, 2010 3:13
PM<BR><B>To:</B> Hebenstreit, Michael<BR><B>Cc:</B> pam-list@redhat.com;
rohan.lahiri@gmail.com<BR><B>Subject:</B> Re: Problems with
pam_nologin.so<BR></FONT><BR></DIV>
<DIV></DIV>Yes you are right Micheal.It was my bad.My initial configuration uses
permit.so which is a promiscuous module,where as your configuration
doesn't, making this even less intrusive, as you stated.It works perfectly.
<DIV><BR></DIV>
<DIV>
<DIV><BR clear=all>Regards,<BR>Viswanath<BR><BR><BR>
<DIV class=gmail_quote>On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael
<SPAN dir=ltr><<A
href="mailto:michael.hebenstreit@intel.com">michael.hebenstreit@intel.com</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2
face=Arial>*confused*</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>From
documentation I got:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial><FONT
face="Times New Roman"><SPAN><EM></EM></SPAN></FONT></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial><FONT
face="Times New Roman"><SPAN><EM>default</EM></SPAN>, implies 'all
<SPAN><EM>valueN</EM></SPAN>'s not mentioned explicitly. Note, the full list
of PAM errors is available in
</FONT><CODE>/usr/include/security/_pam_types.h</CODE></FONT><FONT
face="Times New Roman">. The <SPAN><EM>actionN</EM></SPAN> can be: an unsigned
integer, <SPAN><EM>n</EM></SPAN>, signifying an action of 'jump over the next
<SPAN><EM>n</EM></SPAN> modules in the stack';</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>and the
example</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN>
<P>Given that the type matches, only loads the othermodule rule if the UID is
over 500. Adjust the number after default to skip several rules. </P><PRE>type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...</PRE></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>as I
understand - the default action is to skip the next line; the default action
is executed in the case of failure. </FONT></SPAN></DIV>
<DIV class=im>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2
face=Arial> auth
include system-auth<BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT color=#ff0000><FONT
size=2><SPAN> </SPAN>account [default=1
success=ignore] pam_succeed_if.so quiet user <SPAN>not</SPAN>ingroup
<group_name></FONT></FONT></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN> </SPAN>account
required pam_nologin.so<BR><SPAN>
</SPAN>account include
system-auth<BR></FONT></FONT></FONT></DIV></DIV></DIV>
<DIV>
<DIV><SPAN></SPAN><FONT color=#0000ff size=2 face=Arial><SPAN>Standard users
are not in <group_name>. The test succeeds, and so the next line is
executed - requiring "no_login". For administrators the tests fails, as
they are members of the group <group_name>, default kicks in and the
no_login line is jumped over</SPAN></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN>my tests indicate
it works, so I'm a little bit confused now</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN>could you please
clarify?</SPAN></FONT></FONT></FONT></DIV></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN>thanks</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN>Michael</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV>
<DIV dir=ltr lang=en-us align=left>
<HR>
<FONT size=2 face=Tahoma>
<DIV class=im><B>From:</B> Viswanath Kasi [mailto:<A
href="mailto:viswanath.kvg@gmail.com"
target=_blank>viswanath.kvg@gmail.com</A>] <BR></DIV><B>Sent:</B> Wednesday,
May 12, 2010 11:14 AM
<DIV class=im><BR><B>To:</B> Hebenstreit, Michael<BR><B>Cc:</B> <A
href="mailto:pam-list@redhat.com" target=_blank>pam-list@redhat.com</A>; <A
href="mailto:rohan.lahiri@gmail.com"
target=_blank>rohan.lahiri@gmail.com</A><BR><B>Subject:</B> Re: Problems with
pam_nologin.so<BR></DIV></FONT><BR></DIV>
<DIV class=im>
<DIV></DIV>This would be quite opposite to our basic requirement i.e "to allow
certain users (eg the administrators) access to a system even when
/etc/nologin is present".This modification would provide the session to any
authenticated user who is not in the admin group. </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT
color=#0000ff size=2 face=Arial></FONT><BR
clear=all>Regards,<BR>Viswanath<BR><BR><BR>
<DIV class=gmail_quote>
<DIV class=im>On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <SPAN
dir=ltr><<A href="mailto:michael.hebenstreit@intel.com"
target=_blank>michael.hebenstreit@intel.com</A>></SPAN> wrote:<BR></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV>
<DIV dir=ltr align=left>
<DIV class=im>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>was
drowned in work - thanks for the answer, but what do you think
about:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2
face=Arial> auth
include
system-auth<BR></FONT></SPAN></DIV></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT color=#ff0000><FONT
size=2><SPAN> </SPAN>account [default=1
success=ignore] pam_succeed_if.so quiet user ingroup
<group_name></FONT></FONT></FONT></DIV>
<DIV>
<DIV></DIV>
<DIV class=h5>
<DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN> </SPAN>account
required pam_nologin.so<BR><SPAN>
</SPAN>account include
system-auth<BR></FONT></FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2
face=Arial><SPAN></SPAN></FONT> </DIV></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN>isn't that even less
intrusive? I skip the nologin check for everyone in
"group_name"</SPAN></FONT></DIV>
<DIV><SPAN><FONT color=#0000ff size=2 face=Arial>thanks</FONT></SPAN></DIV>
<DIV><SPAN><FONT color=#0000ff size=2
face=Arial>Michael</FONT></SPAN></DIV></DIV></DIV></DIV>
<DIV>
<DIV></DIV>
<DIV class=h5><BR>
<DIV dir=ltr lang=en-us align=left>
<HR>
<FONT size=2 face=Tahoma><B>From:</B> Viswanath Kasi [mailto:<A
href="mailto:viswanath.kvg@gmail.com"
target=_blank>viswanath.kvg@gmail.com</A>] <BR><B>Sent:</B> Thursday, May
06, 2010 6:52 AM<BR><B>To:</B> Hebenstreit, Michael<BR><B>Cc:</B> <A
href="mailto:pam-list@redhat.com" target=_blank>pam-list@redhat.com</A>; <A
href="mailto:rohan.lahiri@gmail.com"
target=_blank>rohan.lahiri@gmail.com</A><BR><B>Subject:</B> Re: Problems
with pam_nologin.so<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>Micheal,
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><BR></DIV>
<DIV>You can also try this for multiple users based on a group</DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV>
<DIV>
<DIV>account [default=1 success=ignore] pam_succeed_if.so quiet user
ingroup <group_name></DIV>
<DIV>account sufficient pam_permit.so</DIV>
<DIV>account required pam_nologin.so</DIV>
<DIV>account include system-auth</DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><BR></DIV>Regards,<BR><BR>Viswanath<BR><BR><BR>
<DIV class=gmail_quote>On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <SPAN
dir=ltr><<A href="mailto:viswanath.kvg@gmail.com"
target=_blank>viswanath.kvg@gmail.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>Hi! Michael
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV>
<DIV>I made the following changes which worked for me on sshd service with
out changing system auth.</DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV>
<DIV><SPAN
style="BORDER-COLLAPSE: collapse; FONT-FAMILY: arial, sans-serif; FONT-SIZE: 13px">auth
include system-auth</SPAN></DIV>
<DIV>
<DIV>account [default=1 success=ignore] pam_succeed_if.so quiet user
= <user></DIV>
<DIV>account sufficient pam_permit.so</DIV>
<DIV>
<DIV>account required pam_nologin.so</DIV>
<DIV>account include system-auth</DIV>
<DIV><BR></DIV></DIV>
<DIV>You can try this..!</DIV>
<DIV><BR></DIV>Regards,<BR><FONT color=#888888><BR>Viswanath</FONT>
<DIV>
<DIV></DIV>
<DIV><BR><BR><BR>
<DIV class=gmail_quote>On Tue, May 4, 2010 at 12:16 AM, Hebenstreit,
Michael <SPAN dir=ltr><<A href="mailto:michael.hebenstreit@intel.com"
target=_blank>michael.hebenstreit@intel.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>I'm sorry to hit the entire list with this question
but after some hours research I'm still unable to find a solution to my
problem. I need a way to allow certain users (eg the administrators)
access to a system even when /etc/nologin is present. The orginal Redhat
5 config read like:<BR><BR> auth include
system-auth<BR> account required
pam_nologin.so<BR> account include
system-auth<BR> ....<BR><BR>with system-auth
containing<BR><BR> ...<BR> account required
pam_unix.so<BR> account
sufficient pam_succeed_if.so uid < 500
quiet<BR> account required
pam_permit.so<BR> ...<BR><BR>My modification would
be:<BR><BR> #%PAM-1.0<BR> auth include
system-auth<BR> account include
system-auth<BR> account sufficient
pam_listfile.so onerr=fail item=user sense=allow
file=/etc/admins<BR> account required
pam_nologin.so<BR> ....<BR><BR>Which holes do I open by moving
pam_nologin.so to the end of the stack? Are there better ways to reach
my goal?<BR><BR>thanks for any
help<BR>Michael<BR><BR><BR>------------------------------------------------------------------------<BR>Michael
Hebenstreit
Senior Cluster Architect<BR>Intel Corporation
Software and Services
Group/DRD<BR>2800 N Center Dr, DP3-307
Tel.: +1 253 371 3144<BR>WA 98327, DuPont<BR>UNITED STATES
E-mail: <A href="mailto:michael.hebenstreit@intel.com"
target=_blank>michael.hebenstreit@intel.com</A><BR><BR>_______________________________________________<BR>Pam-list
mailing list<BR><A href="mailto:Pam-list@redhat.com"
target=_blank>Pam-list@redhat.com</A><BR><A
href="https://www.redhat.com/mailman/listinfo/pam-list"
target=_blank>https://www.redhat.com/mailman/listinfo/pam-list</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>