[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Looking for a PAM module

On Thu, 16 Dec 1999, Daniel Hambali wrote:

> I am looking for a PAM module that will prevent users from logging into a
> designated account, but will allow users to su to the account (much like the
> behavior of the root account).  Does such a module exist?  If so, what is
> the name, and where can I find it.

> Now, here's a stretch...Is there a Solaris version available?

the pam_listfile module should suit your needs here.  All you need to do
is set up a file with the list of users you don't want to log in, and add
that to the auth section of the config for those services you don't want
them to have access to.  So for example, if you were using the old
Solaris-style config and you didn't want the user to be able to use the
'login' service, you might add the line:

login	auth	required	/lib/security/pam_listfile.so item=user sense=deny file=/etc/security/nologin onerr=succeed

to /etc/pam.conf.

If the requested service has a line like this in the config, the user
will be denied access. If the service /doesn't/ have such a line, they'll
be accepted (assuming they can authenticate, that is).  So you could add a
line like this for 'login', which will affect login and telnet, and omit
this line for su, and it should give you the desired behaviour.  If you
have other remote access services in use, such as ssh or rsh, you'll need
to add a similar line to your config for them.

-Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []