Login restrictions in NIS environment

James Cooley jcooley at fit.edu
Wed Jun 8 14:33:01 UTC 2005


You can prevent the SSH login by adding pam_access to
/etc/pam.d/system-auth   instead of /etc/pam.d/login.   The system-auth
stack is called by both login and ssh access. 

As for su, there really isn't any way that I know of to prevent that,
except by not making the user available in nis.

--James Cooley


Richard Hobbs wrote:

>Hello,
>
>OK, I now have a partly working solution... It disallows me from logging in
>directly on the console, and it still allows everyone else access. I am
>using James Cooley's suggestion of pam_access.
>
>However, if I log in as root and 'su' to myself, it allows it, and if I SSH
>into the machine as myself it allows it.
>
>How can I stop my account from logging in via SSH as well using this method?
>
>Here are the files from our test machine:
>
>/etc/pam.d/login:
>#%PAM-1.0
>auth       required     /lib/security/pam_securetty.so
>auth       required     /lib/security/pam_stack.so service=system-auth
>auth       required     /lib/security/pam_nologin.so
>account    required     /lib/security/pam_stack.so service=system-auth
>password   required     /lib/security/pam_stack.so service=system-auth
>session    required     /lib/security/pam_stack.so service=system-auth
>session    optional     /lib/security/pam_console.so
>account    required     /lib/security/pam_access.so
>
>/etc/pam.d/rlogin:
>#%PAM-1.0
>account    required     /lib/security/pam_access.so
>
>/etc/pam.d/rsh:
>#%PAM-1.0
>account    required     /lib/security/pam_access.so
>
>/etc/pam.d/ftp:
>#%PAM-1.0
>account    required     /lib/security/pam_access.so
>
>I had to create "rlogin", "rsh" and "ftp" because they did not exist.
>
>I also added the extra "account" line to the bottom of "login" as requested,
>but is there something wrong with this file which is allowing me to log in
>remotely and via 'su' ?
>
>Thanks again,
>Richard.
>
>  
>


-- 
--
James Cooley
Sr. Systems Analyst
Information Technology
Florida Tech
321-674-7999
jcooley at it.fit.edu




More information about the redhat-list mailing list