Yes you are right Micheal.It was my bad.My initial configuration uses permit.so which is a promiscuous module,where as your configuration doesn't, making this even less intrusive, as you stated.It works perfectly.<div>
<br></div><div><div><br clear="all">Regards,<br>Viswanath<br>
<br><br><div class="gmail_quote">On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael <span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com">michael.hebenstreit@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">*confused*</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">From documentation I got:</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial"><font face="Times New Roman"><span><em></em></span></font></font></span> </div>
<div dir="ltr" align="left"><span><font face="Arial"><font face="Times New Roman"><span><em>default</em></span>, implies
'all <span><em>valueN</em></span>'s not mentioned explicitly.
Note, the full list of PAM errors is available in </font><code>/usr/include/security/_pam_types.h</code></font><font face="Times New Roman">. The <span><em>actionN</em></span> can
be: an unsigned integer, <span><em>n</em></span>, signifying an
action of 'jump over the next <span><em>n</em></span> modules in
the stack';</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">and the example</font></span></div>
<div dir="ltr" align="left"><span>
<p>Given that the type matches, only loads the othermodule rule if the UID is
over 500. Adjust the number after default to skip several rules. </p><pre>type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...</pre></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">as I understand - the default action is to skip the next line;
the default action is executed in the case of failure. </font></span></div><div class="im">
<div><font color="#0000ff" size="2" face="Arial"></font> </div>
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"> auth
include system-auth<br></font></span></div>
<div dir="ltr" align="left"><font face="Arial"><font color="#ff0000"><font size="2"><span> </span>account [default=1 success=ignore]
pam_succeed_if.so quiet user <span>not</span>ingroup
<group_name></font></font></font></div>
<div dir="ltr" align="left"><font face="Arial"><font color="#0000ff"><font size="2"><span> </span>account
required pam_nologin.so<br><span>
</span>account include
system-auth<br></font></font></font></div></div>
</div><div>
<div><span></span><font color="#0000ff" size="2" face="Arial"><span>Standard users are not in
<group_name>. The test succeeds, and so the next line is executed -
requiring "no_login". For administrators the tests fails, as they are
members of the group <group_name>, default kicks in and the no_login line
is jumped over</span></font></div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span></span></font></font></font> </div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span>my tests indicate it works, so I'm a little bit
confused now</span></font></font></font></div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span>could you please
clarify?</span></font></font></font></div></div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span></span></font></font></font> </div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span>thanks</span></font></font></font></div>
<div><font face="Arial"><font color="#0000ff"><font size="2"><span>Michael</span></font></font></font></div>
<div><font color="#0000ff" size="2" face="Arial"></font><br></div>
<div dir="ltr" lang="en-us" align="left">
<hr>
<font size="2" face="Tahoma"><div class="im"><b>From:</b> Viswanath Kasi
[mailto:<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>] <br></div><b>Sent:</b> Wednesday, May 12, 2010 11:14
AM<div class="im"><br><b>To:</b> Hebenstreit, Michael<br><b>Cc:</b> <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a>;
<a href="mailto:rohan.lahiri@gmail.com" target="_blank">rohan.lahiri@gmail.com</a><br><b>Subject:</b> Re: Problems with
pam_nologin.so<br></div></font><br></div><div class="im">
<div></div>This would be quite opposite to our basic requirement i.e "to allow
certain users (eg the administrators) access to a system even when /etc/nologin
is present".This modification would provide the session to any authenticated
user who is not in the admin group.
</div><div><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><br clear="all">
Regards,<br>Viswanath<br><br><br>
<div class="gmail_quote"><div class="im">On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael
<span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a>></span>
wrote:<br>
</div><blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">
<div>
<div dir="ltr" align="left"><div class="im">
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial">was
drowned in work - thanks for the answer, but what do you think
about:</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" size="2" face="Arial"> auth
include system-auth<br></font></span></div>
</div><div dir="ltr" align="left"><font face="Arial"><font color="#ff0000"><font size="2"><span> </span>account [default=1
success=ignore] pam_succeed_if.so quiet user ingroup
<group_name></font></font></font></div><div><div></div><div class="h5">
<div>
<div dir="ltr" align="left"><font face="Arial"><font color="#0000ff"><font size="2"><span> </span>account
required pam_nologin.so<br><span>
</span>account include
system-auth<br></font></font></font></div>
<div><font color="#0000ff" size="2" face="Arial"><span></span></font> </div></div>
<div><font color="#0000ff" size="2" face="Arial"><span>isn't that even less
intrusive? I skip the nologin check for everyone in
"group_name"</span></font></div>
<div><span><font color="#0000ff" size="2" face="Arial">thanks</font></span></div>
<div><span><font color="#0000ff" size="2" face="Arial">Michael</font></span></div></div></div></div><div><div></div><div class="h5"><br>
<div dir="ltr" lang="en-us" align="left">
<hr>
<font size="2" face="Tahoma"><b>From:</b> Viswanath Kasi [mailto:<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>] <br><b>Sent:</b> Thursday, May 06,
2010 6:52 AM<br><b>To:</b> Hebenstreit, Michael<br><b>Cc:</b> <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a>; <a href="mailto:rohan.lahiri@gmail.com" target="_blank">rohan.lahiri@gmail.com</a><br>
<b>Subject:</b> Re: Problems with
pam_nologin.so<br></font><br></div>
<div>
<div></div>
<div>
<div></div>Micheal,
<div><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><br></div>
<div>You can also try this for multiple users based on a group</div>
<div><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><br></div>
<div>
<div>account [default=1 success=ignore] pam_succeed_if.so quiet user
ingroup <group_name></div>
<div>account sufficient pam_permit.so</div>
<div>account required pam_nologin.so</div>
<div>account include system-auth</div>
<div><font color="#0000ff" size="2" face="Arial"></font><font color="#0000ff" size="2" face="Arial"></font><br></div>Regards,<br><br>Viswanath<br><br><br>
<div class="gmail_quote">On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <span dir="ltr"><<a href="mailto:viswanath.kvg@gmail.com" target="_blank">viswanath.kvg@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">Hi! Michael
<div><font color="#0000ff" size="2" face="Arial"></font><br></div>
<div>I made the following changes which worked for me on sshd service with
out changing system auth.</div>
<div><font color="#0000ff" size="2" face="Arial"></font><br></div>
<div><span style="border-collapse:collapse;font-family:arial, sans-serif;font-size:13px">auth
include system-auth</span></div>
<div>
<div>account [default=1 success=ignore] pam_succeed_if.so quiet user =
<user></div>
<div>account sufficient pam_permit.so</div>
<div>
<div>account required pam_nologin.so</div>
<div>account include system-auth</div>
<div><br></div></div>
<div>You can try this..!</div>
<div><br></div>Regards,<br><font color="#888888"><br>Viswanath</font>
<div>
<div></div>
<div><br><br><br>
<div class="gmail_quote">On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael
<span dir="ltr"><<a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a>></span> wrote:<br>
<blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">I'm sorry to hit the entire list with this question but
after some hours research I'm still unable to find a solution to my
problem. I need a way to allow certain users (eg the administrators)
access to a system even when /etc/nologin is present. The orginal Redhat 5
config read like:<br><br> auth include
system-auth<br> account required
pam_nologin.so<br> account include
system-auth<br> ....<br><br>with system-auth
containing<br><br> ...<br> account required
pam_unix.so<br> account sufficient
pam_succeed_if.so uid < 500 quiet<br> account
required pam_permit.so<br> ...<br><br>My
modification would be:<br><br> #%PAM-1.0<br> auth
include system-auth<br> account
include system-auth<br> account
sufficient pam_listfile.so onerr=fail item=user sense=allow
file=/etc/admins<br> account required
pam_nologin.so<br> ....<br><br>Which holes do I open by moving
pam_nologin.so to the end of the stack? Are there better ways to reach my
goal?<br><br>thanks for any
help<br>Michael<br><br><br>------------------------------------------------------------------------<br>Michael
Hebenstreit Senior
Cluster Architect<br>Intel Corporation
Software and Services Group/DRD<br>2800 N
Center Dr, DP3-307 Tel.: +1 253
371 3144<br>WA 98327, DuPont<br>UNITED STATES
E-mail: <a href="mailto:michael.hebenstreit@intel.com" target="_blank">michael.hebenstreit@intel.com</a><br><br>_______________________________________________<br>Pam-list
mailing list<br><a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br>
</blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></div></div></div></blockquote></div><br></div></div>
</blockquote></div><br></div></div>