Problems with pam_nologin.so

Viswanath Kasi viswanath.kvg at gmail.com
Thu May 6 13:52:20 UTC 2010 

Micheal,

You can also try this for multiple users based on a group

account  [default=1 success=ignore] pam_succeed_if.so quiet user ingroup
<group_name>
account  sufficient     pam_permit.so
account    required     pam_nologin.so
account    include      system-auth

Regards,

Viswanath


On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg at gmail.com>wrote:

> Hi! Michael
>
> I made the following changes which worked for me on sshd service with out
> changing system auth.
>
> auth       include      system-auth
> account  [default=1 success=ignore] pam_succeed_if.so quiet user = <user>
> account  sufficient     pam_permit.so
> account    required     pam_nologin.so
> account    include      system-auth
>
> You can try this..!
>
> Regards,
>
> Viswanath
>
>
>
> On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <
> michael.hebenstreit at intel.com> wrote:
>
>> I'm sorry to hit the entire list with this question but after some hours
>> research I'm still unable to find a solution to my problem. I need a way to
>> allow certain users (eg the administrators) access to a system even when
>> /etc/nologin is present. The orginal Redhat 5 config read like:
>>
>>  auth       include      system-auth
>>  account    required     pam_nologin.so
>>  account    include      system-auth
>>  ....
>>
>> with system-auth containing
>>
>>  ...
>>  account     required      pam_unix.so
>>  account     sufficient    pam_succeed_if.so uid < 500 quiet
>>  account     required      pam_permit.so
>>  ...
>>
>> My modification would be:
>>
>>  #%PAM-1.0
>>  auth       include      system-auth
>>  account    include      system-auth
>>  account    sufficient   pam_listfile.so onerr=fail item=user sense=allow
>> file=/etc/admins
>>  account    required     pam_nologin.so
>>  ....
>>
>> Which holes do I open by moving pam_nologin.so to the end of the stack?
>> Are there better ways to reach my goal?
>>
>> thanks for any help
>> Michael
>>
>>
>> ------------------------------------------------------------------------
>> Michael Hebenstreit                 Senior Cluster Architect
>> Intel Corporation                   Software and Services Group/DRD
>> 2800 N Center Dr, DP3-307           Tel.:   +1 253 371 3144
>> WA 98327, DuPont
>> UNITED STATES                       E-mail: michael.hebenstreit at intel.com
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20100506/b596137a/attachment.htm>

More information about the Pam-list mailing list