This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.<div> <br clear="all">Regards,<br>Viswanath<br> <br><br><div class="gmail_quote">On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com">michael.hebenstreit@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div> <div dir="ltr" align="left"> <div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">was drowned in work - thanks for the answer, but what do you think about:</font></span></div> <div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div> <div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"> auth include system-auth<br></font></span></div> <div dir="ltr" align="left"><font face="Arial"><font color="#ff0000"><font size="2"><span> </span>account [default=1 success=ignore] pam_succeed_if.so quiet user <span>not</span>ingroup <group_name></font></font></font></div><div class="im"> <div dir="ltr" align="left"><font face="Arial"><font color="#0000ff"><font size="2"><span> </span>account required pam_nologin.so<br><span> </span>account include system-auth<br></font></font></font></div> <div><font color="#0000ff" size="2" face="Arial"><span></span></font> </div> </div><div><font color="#0000ff" size="2" face="Arial"><span>isn't that even less intrusive? I skip the nologin check for everyone in "group_name"</span></font></div> <div><span><font color="#0000ff" size="2" face="Arial">thanks</font></span></div> <div><span><font color="#0000ff" size="2" face="Arial">Michael</font></span></div></div><br> <div dir="ltr" lang="en-us" align="left"> <hr> <font size="2" face="Tahoma"><b>From:</b> Viswanath Kasi [mailto:<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>] <br><b>Sent:</b> Thursday, May 06, 2010 6:52 AM<br><b>To:</b> Hebenstreit, Michael<br><b>Cc:</b> <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a>; <a href="mailto:rohan.lahiri@gmail.com" target="_blank">rohan.lahiri@gmail.com</a><br><b>Subject:</b> Re: Problems with pam_nologin.so<br></font><br></div><div><div></div><div class="h5"> <div></div>Micheal, <div><br></div> <div>You can also try this for multiple users based on a group</div> <div><br></div> <div> <div>account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name></div> <div>account sufficient pam_permit.so</div> <div>account required pam_nologin.so</div> <div>account include system-auth</div> <div><br></div>Regards,<br><br>Viswanath<br><br><br> <div class="gmail_quote">On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <span dir="ltr"><<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>></span> wrote:<br> <blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">Hi! Michael <div><br></div> <div>I made the following changes which worked for me on sshd service with out changing system auth.</div> <div><br></div> <div><span style="border-collapse:collapse;font-family:arial, sans-serif;font-size:13px">auth include system-auth</span></div> <div> <div>account [default=1 success=ignore] pam_succeed_if.so quiet user = <user></div> <div>account sufficient pam_permit.so</div> <div> <div>account required pam_nologin.so</div> <div>account include system-auth</div> <div><br></div></div> <div>You can try this..!</div> <div><br></div>Regards,<br><font color="#888888"><br>Viswanath</font> <div> <div></div> <div><br><br><br> <div class="gmail_quote">On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a>></span> wrote:<br> <blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:<br><br> auth include system-auth<br> account required pam_nologin.so<br> account include system-auth<br> ....<br><br>with system-auth containing<br><br> ...<br> account required pam_unix.so<br> account sufficient pam_succeed_if.so uid < 500 quiet<br> account required pam_permit.so<br> ...<br><br>My modification would be:<br><br> #%PAM-1.0<br> auth include system-auth<br> account include system-auth<br> account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins<br> account required pam_nologin.so<br> ....<br><br>Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?<br><br>thanks for any help<br>Michael<br><br><br>------------------------------------------------------------------------<br>Michael Hebenstreit Senior Cluster Architect<br>Intel Corporation Software and Services Group/DRD<br>2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144<br>WA 98327, DuPont<br>UNITED STATES E-mail: <a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a><br><br>_______________________________________________<br>Pam-list mailing list<br><a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br> </blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></div> </blockquote></div><br></div>