<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=us-ascii" http-equiv=Content-Type> <META name=GENERATOR content="MSHTML 8.00.7600.16535"></HEAD> <BODY> <DIV dir=ltr align=left><SPAN class=305121622-12052010><FONT color=#0000ff size=2 face=Arial>thanks for your advise, greatly appreciated</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN class=305121622-12052010><FONT color=#0000ff size=2 face=Arial>Michael</FONT></SPAN></DIV><BR> <DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left> <HR tabIndex=-1> <FONT size=2 face=Tahoma><B>From:</B> Viswanath Kasi [mailto:viswanath.kvg@gmail.com] <BR><B>Sent:</B> Wednesday, May 12, 2010 3:13 PM<BR><B>To:</B> Hebenstreit, Michael<BR><B>Cc:</B> pam-list@redhat.com; rohan.lahiri@gmail.com<BR><B>Subject:</B> Re: Problems with pam_nologin.so<BR></FONT><BR></DIV> <DIV></DIV>Yes you are right Micheal.It was my bad.My initial configuration uses permit.so which is a promiscuous module,where as your configuration doesn't, making this even less intrusive, as you stated.It works perfectly. <DIV><BR></DIV> <DIV> <DIV><BR clear=all>Regards,<BR>Viswanath<BR><BR><BR> <DIV class=gmail_quote>On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael <SPAN dir=ltr><<A href="mailto:michael.hebenstreit@intel.com">michael.hebenstreit@intel.com</A>></SPAN> wrote:<BR> <BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote> <DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>*confused*</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial></FONT></SPAN> </DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>From documentation I got:</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN><FONT face=Arial><FONT face="Times New Roman"><SPAN><EM></EM></SPAN></FONT></FONT></SPAN> </DIV> <DIV dir=ltr align=left><SPAN><FONT face=Arial><FONT face="Times New Roman"><SPAN><EM>default</EM></SPAN>, implies 'all <SPAN><EM>valueN</EM></SPAN>'s not mentioned explicitly. Note, the full list of PAM errors is available in </FONT><CODE>/usr/include/security/_pam_types.h</CODE></FONT><FONT face="Times New Roman">. The <SPAN><EM>actionN</EM></SPAN> can be: an unsigned integer, <SPAN><EM>n</EM></SPAN>, signifying an action of 'jump over the next <SPAN><EM>n</EM></SPAN> modules in the stack';</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial></FONT></SPAN> </DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>and the example</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN> <P>Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules. </P><PRE>type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type required othermodule.so arguments...</PRE></SPAN></DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>as I understand - the default action is to skip the next line; the default action is executed in the case of failure. </FONT></SPAN></DIV> <DIV class=im> <DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV> <DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial> auth include system-auth<BR></FONT></SPAN></DIV> <DIV dir=ltr align=left><FONT face=Arial><FONT color=#ff0000><FONT size=2><SPAN> </SPAN>account [default=1 success=ignore] pam_succeed_if.so quiet user <SPAN>not</SPAN>ingroup <group_name></FONT></FONT></FONT></DIV> <DIV dir=ltr align=left><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN> </SPAN>account required pam_nologin.so<BR><SPAN> </SPAN>account include system-auth<BR></FONT></FONT></FONT></DIV></DIV></DIV> <DIV> <DIV><SPAN></SPAN><FONT color=#0000ff size=2 face=Arial><SPAN>Standard users are not in <group_name>. The test succeeds, and so the next line is executed - requiring "no_login". For administrators the tests fails, as they are members of the group <group_name>, default kicks in and the no_login line is jumped over</SPAN></FONT></DIV> <DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN></SPAN></FONT></FONT></FONT> </DIV> <DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN>my tests indicate it works, so I'm a little bit confused now</SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN>could you please clarify?</SPAN></FONT></FONT></FONT></DIV></DIV> <DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN></SPAN></FONT></FONT></FONT> </DIV> <DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN>thanks</SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN>Michael</SPAN></FONT></FONT></FONT></DIV> <DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV> <DIV dir=ltr lang=en-us align=left> <HR> <FONT size=2 face=Tahoma> <DIV class=im><B>From:</B> Viswanath Kasi [mailto:<A href="mailto:viswanath.kvg@gmail.com" target=_blank>viswanath.kvg@gmail.com</A>] <BR></DIV><B>Sent:</B> Wednesday, May 12, 2010 11:14 AM <DIV class=im><BR><B>To:</B> Hebenstreit, Michael<BR><B>Cc:</B> <A href="mailto:pam-list@redhat.com" target=_blank>pam-list@redhat.com</A>; <A href="mailto:rohan.lahiri@gmail.com" target=_blank>rohan.lahiri@gmail.com</A><BR><B>Subject:</B> Re: Problems with pam_nologin.so<BR></DIV></FONT><BR></DIV> <DIV class=im> <DIV></DIV>This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group. </DIV> <DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><BR clear=all>Regards,<BR>Viswanath<BR><BR><BR> <DIV class=gmail_quote> <DIV class=im>On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <SPAN dir=ltr><<A href="mailto:michael.hebenstreit@intel.com" target=_blank>michael.hebenstreit@intel.com</A>></SPAN> wrote:<BR></DIV> <BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote> <DIV> <DIV dir=ltr align=left> <DIV class=im> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial>was drowned in work - thanks for the answer, but what do you think about:</FONT></SPAN></DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial></FONT></SPAN> </DIV> <DIV dir=ltr align=left><SPAN><FONT color=#0000ff size=2 face=Arial> auth include system-auth<BR></FONT></SPAN></DIV></DIV> <DIV dir=ltr align=left><FONT face=Arial><FONT color=#ff0000><FONT size=2><SPAN> </SPAN>account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name></FONT></FONT></FONT></DIV> <DIV> <DIV></DIV> <DIV class=h5> <DIV> <DIV dir=ltr align=left><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN> </SPAN>account required pam_nologin.so<BR><SPAN> </SPAN>account include system-auth<BR></FONT></FONT></FONT></DIV> <DIV><FONT color=#0000ff size=2 face=Arial><SPAN></SPAN></FONT> </DIV></DIV> <DIV><FONT color=#0000ff size=2 face=Arial><SPAN>isn't that even less intrusive? I skip the nologin check for everyone in "group_name"</SPAN></FONT></DIV> <DIV><SPAN><FONT color=#0000ff size=2 face=Arial>thanks</FONT></SPAN></DIV> <DIV><SPAN><FONT color=#0000ff size=2 face=Arial>Michael</FONT></SPAN></DIV></DIV></DIV></DIV> <DIV> <DIV></DIV> <DIV class=h5><BR> <DIV dir=ltr lang=en-us align=left> <HR> <FONT size=2 face=Tahoma><B>From:</B> Viswanath Kasi [mailto:<A href="mailto:viswanath.kvg@gmail.com" target=_blank>viswanath.kvg@gmail.com</A>] <BR><B>Sent:</B> Thursday, May 06, 2010 6:52 AM<BR><B>To:</B> Hebenstreit, Michael<BR><B>Cc:</B> <A href="mailto:pam-list@redhat.com" target=_blank>pam-list@redhat.com</A>; <A href="mailto:rohan.lahiri@gmail.com" target=_blank>rohan.lahiri@gmail.com</A><BR><B>Subject:</B> Re: Problems with pam_nologin.so<BR></FONT><BR></DIV> <DIV> <DIV></DIV> <DIV> <DIV></DIV>Micheal, <DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV> <DIV>You can also try this for multiple users based on a group</DIV> <DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV> <DIV> <DIV>account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name></DIV> <DIV>account sufficient pam_permit.so</DIV> <DIV>account required pam_nologin.so</DIV> <DIV>account include system-auth</DIV> <DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV>Regards,<BR><BR>Viswanath<BR><BR><BR> <DIV class=gmail_quote>On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <SPAN dir=ltr><<A href="mailto:viswanath.kvg@gmail.com" target=_blank>viswanath.kvg@gmail.com</A>></SPAN> wrote:<BR> <BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>Hi! Michael <DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV> <DIV>I made the following changes which worked for me on sshd service with out changing system auth.</DIV> <DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR></DIV> <DIV><SPAN style="BORDER-COLLAPSE: collapse; FONT-FAMILY: arial, sans-serif; FONT-SIZE: 13px">auth include system-auth</SPAN></DIV> <DIV> <DIV>account [default=1 success=ignore] pam_succeed_if.so quiet user = <user></DIV> <DIV>account sufficient pam_permit.so</DIV> <DIV> <DIV>account required pam_nologin.so</DIV> <DIV>account include system-auth</DIV> <DIV><BR></DIV></DIV> <DIV>You can try this..!</DIV> <DIV><BR></DIV>Regards,<BR><FONT color=#888888><BR>Viswanath</FONT> <DIV> <DIV></DIV> <DIV><BR><BR><BR> <DIV class=gmail_quote>On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <SPAN dir=ltr><<A href="mailto:michael.hebenstreit@intel.com" target=_blank>michael.hebenstreit@intel.com</A>></SPAN> wrote:<BR> <BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:<BR><BR> auth include system-auth<BR> account required pam_nologin.so<BR> account include system-auth<BR> ....<BR><BR>with system-auth containing<BR><BR> ...<BR> account required pam_unix.so<BR> account sufficient pam_succeed_if.so uid < 500 quiet<BR> account required pam_permit.so<BR> ...<BR><BR>My modification would be:<BR><BR> #%PAM-1.0<BR> auth include system-auth<BR> account include system-auth<BR> account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins<BR> account required pam_nologin.so<BR> ....<BR><BR>Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?<BR><BR>thanks for any help<BR>Michael<BR><BR><BR>------------------------------------------------------------------------<BR>Michael Hebenstreit Senior Cluster Architect<BR>Intel Corporation Software and Services Group/DRD<BR>2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144<BR>WA 98327, DuPont<BR>UNITED STATES E-mail: <A href="mailto:michael.hebenstreit@intel.com" target=_blank>michael.hebenstreit@intel.com</A><BR><BR>_______________________________________________<BR>Pam-list mailing list<BR><A href="mailto:Pam-list@redhat.com" target=_blank>Pam-list@redhat.com</A><BR><A href="https://www.redhat.com/mailman/listinfo/pam-list" target=_blank>https://www.redhat.com/mailman/listinfo/pam-list</A><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>