This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.<div>
<br clear="all">Regards,<br>Viswanath<br>
<br><br><div class="gmail_quote">On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com">michael.hebenstreit@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<div dir="ltr" align="left">
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">was drowned in work - thanks for the answer, but what do you
think about:</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"> auth
include system-auth<br></font></span></div>
<div dir="ltr" align="left"><font face="Arial"><font color="#ff0000"><font size="2"><span> </span>account [default=1
success=ignore] pam_succeed_if.so quiet user <span>not</span>ingroup
<group_name></font></font></font></div><div class="im">
<div dir="ltr" align="left"><font face="Arial"><font color="#0000ff"><font size="2"><span> </span>account
required pam_nologin.so<br><span> </span>account
include
system-auth<br></font></font></font></div>
<div><font color="#0000ff" size="2" face="Arial"><span></span></font> </div>
</div><div><font color="#0000ff" size="2" face="Arial"><span>isn't
that even less intrusive? I skip the nologin check for everyone in
"group_name"</span></font></div>
<div><span><font color="#0000ff" size="2" face="Arial">thanks</font></span></div>
<div><span><font color="#0000ff" size="2" face="Arial">Michael</font></span></div></div><br>
<div dir="ltr" lang="en-us" align="left">
<hr>
<font size="2" face="Tahoma"><b>From:</b> Viswanath Kasi
[mailto:<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>] <br><b>Sent:</b> Thursday, May 06, 2010 6:52
AM<br><b>To:</b> Hebenstreit, Michael<br><b>Cc:</b> <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a>;
<a href="mailto:rohan.lahiri@gmail.com" target="_blank">rohan.lahiri@gmail.com</a><br><b>Subject:</b> Re: Problems with
pam_nologin.so<br></font><br></div><div><div></div><div class="h5">
<div></div>Micheal,
<div><br></div>
<div>You can also try this for multiple users based on a group</div>
<div><br></div>
<div>
<div>account [default=1 success=ignore] pam_succeed_if.so quiet user
ingroup <group_name></div>
<div>account sufficient pam_permit.so</div>
<div>account required pam_nologin.so</div>
<div>account include system-auth</div>
<div><br></div>Regards,<br><br>Viswanath<br><br><br>
<div class="gmail_quote">On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <span dir="ltr"><<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>></span>
wrote:<br>
<blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">Hi! Michael
<div><br></div>
<div>I made the following changes which worked for me on sshd service with out
changing system auth.</div>
<div><br></div>
<div><span style="border-collapse:collapse;font-family:arial, sans-serif;font-size:13px">auth
include system-auth</span></div>
<div>
<div>account [default=1 success=ignore] pam_succeed_if.so quiet user =
<user></div>
<div>account sufficient pam_permit.so</div>
<div>
<div>account required pam_nologin.so</div>
<div>account include system-auth</div>
<div><br></div></div>
<div>You can try this..!</div>
<div><br></div>Regards,<br><font color="#888888"><br>Viswanath</font>
<div>
<div></div>
<div><br><br><br>
<div class="gmail_quote">On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael
<span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a>></span> wrote:<br>
<blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">I'm sorry to hit the entire list with this question but
after some hours research I'm still unable to find a solution to my problem.
I need a way to allow certain users (eg the administrators) access to a
system even when /etc/nologin is present. The orginal Redhat 5 config read
like:<br><br> auth include
system-auth<br> account required
pam_nologin.so<br> account include
system-auth<br> ....<br><br>with system-auth
containing<br><br> ...<br> account required
pam_unix.so<br> account sufficient
pam_succeed_if.so uid < 500 quiet<br> account
required pam_permit.so<br> ...<br><br>My
modification would be:<br><br> #%PAM-1.0<br> auth
include system-auth<br> account
include system-auth<br> account
sufficient pam_listfile.so onerr=fail item=user sense=allow
file=/etc/admins<br> account required
pam_nologin.so<br> ....<br><br>Which holes do I open by moving
pam_nologin.so to the end of the stack? Are there better ways to reach my
goal?<br><br>thanks for any
help<br>Michael<br><br><br>------------------------------------------------------------------------<br>Michael
Hebenstreit Senior
Cluster Architect<br>Intel Corporation
Software and Services Group/DRD<br>2800 N Center
Dr, DP3-307 Tel.: +1 253 371
3144<br>WA 98327, DuPont<br>UNITED STATES
E-mail: <a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a><br><br>_______________________________________________<br>Pam-list
mailing list<br><a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>