Problems with pam_nologin.so
Viswanath Kasi
viswanath.kvg at gmail.com
Wed May 12 18:14:01 UTC 2010
This would be quite opposite to our basic requirement i.e "to allow certain
users (eg the administrators) access to a system even when /etc/nologin is
present".This modification would provide the session to any authenticated
user who is not in the admin group.
Regards,
Viswanath
On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <
michael.hebenstreit at intel.com> wrote:
> was drowned in work - thanks for the answer, but what do you think about:
>
> auth include system-auth
> account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup
> <group_name>
> account required pam_nologin.so
> account include system-auth
>
> isn't that even less intrusive? I skip the nologin check for everyone in
> "group_name"
> thanks
> Michael
>
> ------------------------------
> *From:* Viswanath Kasi [mailto:viswanath.kvg at gmail.com]
> *Sent:* Thursday, May 06, 2010 6:52 AM
> *To:* Hebenstreit, Michael
> *Cc:* pam-list at redhat.com; rohan.lahiri at gmail.com
> *Subject:* Re: Problems with pam_nologin.so
>
> Micheal,
>
> You can also try this for multiple users based on a group
>
> account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup
> <group_name>
> account sufficient pam_permit.so
> account required pam_nologin.so
> account include system-auth
>
> Regards,
>
> Viswanath
>
>
> On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg at gmail.com>wrote:
>
>> Hi! Michael
>>
>> I made the following changes which worked for me on sshd service with out
>> changing system auth.
>>
>> auth include system-auth
>> account [default=1 success=ignore] pam_succeed_if.so quiet user =
>> <user>
>> account sufficient pam_permit.so
>> account required pam_nologin.so
>> account include system-auth
>>
>> You can try this..!
>>
>> Regards,
>>
>> Viswanath
>>
>>
>>
>> On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <
>> michael.hebenstreit at intel.com> wrote:
>>
>>> I'm sorry to hit the entire list with this question but after some hours
>>> research I'm still unable to find a solution to my problem. I need a way to
>>> allow certain users (eg the administrators) access to a system even when
>>> /etc/nologin is present. The orginal Redhat 5 config read like:
>>>
>>> auth include system-auth
>>> account required pam_nologin.so
>>> account include system-auth
>>> ....
>>>
>>> with system-auth containing
>>>
>>> ...
>>> account required pam_unix.so
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account required pam_permit.so
>>> ...
>>>
>>> My modification would be:
>>>
>>> #%PAM-1.0
>>> auth include system-auth
>>> account include system-auth
>>> account sufficient pam_listfile.so onerr=fail item=user sense=allow
>>> file=/etc/admins
>>> account required pam_nologin.so
>>> ....
>>>
>>> Which holes do I open by moving pam_nologin.so to the end of the stack?
>>> Are there better ways to reach my goal?
>>>
>>> thanks for any help
>>> Michael
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Michael Hebenstreit Senior Cluster Architect
>>> Intel Corporation Software and Services Group/DRD
>>> 2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
>>> WA 98327, DuPont
>>> UNITED STATES E-mail:
>>> michael.hebenstreit at intel.com
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20100512/768dc2bd/attachment.htm>
More information about the Pam-list
mailing list