Problems with pam_nologin.so
Hebenstreit, Michael
michael.hebenstreit at intel.com
Wed May 12 22:16:27 UTC 2010
thanks for your advise, greatly appreciated
Michael
________________________________
From: Viswanath Kasi [mailto:viswanath.kvg at gmail.com]
Sent: Wednesday, May 12, 2010 3:13 PM
To: Hebenstreit, Michael
Cc: pam-list at redhat.com; rohan.lahiri at gmail.com
Subject: Re: Problems with pam_nologin.so
Yes you are right Micheal.It was my bad.My initial configuration uses permit.so which is a promiscuous module,where as your configuration doesn't, making this even less intrusive, as you stated.It works perfectly.
Regards,
Viswanath
On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael <michael.hebenstreit at intel.com<mailto:michael.hebenstreit at intel.com>> wrote:
*confused*
>From documentation I got:
default, implies 'all valueN's not mentioned explicitly. Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack';
and the example
Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...
as I understand - the default action is to skip the next line; the default action is executed in the case of failure.
auth include system-auth
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>
account required pam_nologin.so
account include system-auth
Standard users are not in <group_name>. The test succeeds, and so the next line is executed - requiring "no_login". For administrators the tests fails, as they are members of the group <group_name>, default kicks in and the no_login line is jumped over
my tests indicate it works, so I'm a little bit confused now
could you please clarify?
thanks
Michael
________________________________
From: Viswanath Kasi [mailto:viswanath.kvg at gmail.com<mailto:viswanath.kvg at gmail.com>]
Sent: Wednesday, May 12, 2010 11:14 AM
To: Hebenstreit, Michael
Cc: pam-list at redhat.com<mailto:pam-list at redhat.com>; rohan.lahiri at gmail.com<mailto:rohan.lahiri at gmail.com>
Subject: Re: Problems with pam_nologin.so
This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.
Regards,
Viswanath
On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <michael.hebenstreit at intel.com<mailto:michael.hebenstreit at intel.com>> wrote:
was drowned in work - thanks for the answer, but what do you think about:
auth include system-auth
account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>
account required pam_nologin.so
account include system-auth
isn't that even less intrusive? I skip the nologin check for everyone in "group_name"
thanks
Michael
________________________________
From: Viswanath Kasi [mailto:viswanath.kvg at gmail.com<mailto:viswanath.kvg at gmail.com>]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list at redhat.com<mailto:pam-list at redhat.com>; rohan.lahiri at gmail.com<mailto:rohan.lahiri at gmail.com>
Subject: Re: Problems with pam_nologin.so
Micheal,
You can also try this for multiple users based on a group
account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>
account sufficient pam_permit.so
account required pam_nologin.so
account include system-auth
Regards,
Viswanath
On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg at gmail.com<mailto:viswanath.kvg at gmail.com>> wrote:
Hi! Michael
I made the following changes which worked for me on sshd service with out changing system auth.
auth include system-auth
account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>
account sufficient pam_permit.so
account required pam_nologin.so
account include system-auth
You can try this..!
Regards,
Viswanath
On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit at intel.com<mailto:michael.hebenstreit at intel.com>> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:
auth include system-auth
account required pam_nologin.so
account include system-auth
....
with system-auth containing
...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...
My modification would be:
#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....
Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?
thanks for any help
Michael
------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit at intel.com<mailto:michael.hebenstreit at intel.com>
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com<mailto:Pam-list at redhat.com>
https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20100512/046a00e0/attachment.htm>
More information about the Pam-list
mailing list