Using PAM for additional SSH/Console authentication
Stuart Sears
stuart at sjsears.com
Thu Apr 29 09:50:50 UTC 2004
Ed Wilts wrote:
>On Wed, Apr 28, 2004 at 01:29:43PM -0700, Yagi Angrypants wrote:
>
>
>>A while ago I had configured an RH box so that ssh
>>users had to have their account names entered into a
>>text file (in addition to the "usual" requirements) in
>>order to be able to ssh into a machine.
>>
>>I can't remember how to do this now. I'd like to
>>configure a box I have now so that ssh and console
>>users need to have their accounts specificially
>>entered into additional text files to permit such
>>access. Can someone point me to a good link that
>>discusses modifying the PAM configuration to
>>accomplish this?
>>
>>
>
>The easiest way to do this is via the sshd_config file that forces users
>to be members of a group to allow the ssh login. man sshd_config and
>search for AllowGroup
>
>
yes, that would work quite well, but doesn't deal with local logins. PAM
controls everything!!
(well, most things that require authentication, anyway)
>Console users are handled via /etc/securetty I think.
>
>
/etc/securetty is just a list of terminals that the sytem considers
'secure'.
PAM will not allow root logins on a terminal not listed in that file.
(ie if you want to rescue over a serial console, better make sure that
/dev/ttyS0 is listed!)
Stuart
--
Stuart Sears RHCE/RHCX
More information about the redhat-list
mailing list