Login restrictions in NIS environment

Richard Hobbs richard.hobbs at crl.toshiba.co.uk
Wed Jun 8 15:50:06 UTC 2005 

Hello,

OK, I have now made the following changes:


1. Put the system back to how it was before I started all this.


2. Add the following line into "/etc/pam.d/system-auth":
     account    required     /lib/security/pam_access.so


3. Add the following line into "/etc/security/access.conf":
     -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL


It now works perfectly! Everyone is banned from remotely logging into the
system except rhobbs, nbaker and root!

I need to make one more change though... And it doesn't seem to work. I need
to ban root from logging in remotely except from certain IP addresses.

I have tried the following, but it does not allow root to login even from
that IP address:

     -:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL EXCEPT LOCAL

I have also tried using the hostname, and hostname.domain.co.uk instead of
the IP address, but root still cannot log in from that host.

Do you know how I can ban everyone from logging in remotely, except for a
few users, and how I can ban root from logging in from any machine except
particular ones?

Thanks again, this is incredibly useful and massively appreciated :-)

Richard.

-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of James Cooley
> Sent: 08 June 2005 15:33
> To: General Red Hat Linux discussion list
> Subject: Re: Login restrictions in NIS environment
> 
> You can prevent the SSH login by adding pam_access to
> /etc/pam.d/system-auth   instead of /etc/pam.d/login.   The 
> system-auth
> stack is called by both login and ssh access. 
> 
> As for su, there really isn't any way that I know of to prevent that,
> except by not making the user available in nis.
> 
> --James Cooley
> 
> 
> Richard Hobbs wrote:
> 
> >Hello,
> >
> >OK, I now have a partly working solution... It disallows me 
> from logging in
> >directly on the console, and it still allows everyone else 
> access. I am
> >using James Cooley's suggestion of pam_access.
> >
> >However, if I log in as root and 'su' to myself, it allows 
> it, and if I SSH
> >into the machine as myself it allows it.
> >
> >How can I stop my account from logging in via SSH as well 
> using this method?
> >
> >Here are the files from our test machine:
> >
> >/etc/pam.d/login:
> >#%PAM-1.0
> >auth       required     /lib/security/pam_securetty.so
> >auth       required     /lib/security/pam_stack.so 
> service=system-auth
> >auth       required     /lib/security/pam_nologin.so
> >account    required     /lib/security/pam_stack.so 
> service=system-auth
> >password   required     /lib/security/pam_stack.so 
> service=system-auth
> >session    required     /lib/security/pam_stack.so 
> service=system-auth
> >session    optional     /lib/security/pam_console.so
> >account    required     /lib/security/pam_access.so
> >
> >/etc/pam.d/rlogin:
> >#%PAM-1.0
> >account    required     /lib/security/pam_access.so
> >
> >/etc/pam.d/rsh:
> >#%PAM-1.0
> >account    required     /lib/security/pam_access.so
> >
> >/etc/pam.d/ftp:
> >#%PAM-1.0
> >account    required     /lib/security/pam_access.so
> >
> >I had to create "rlogin", "rsh" and "ftp" because they did not exist.
> >
> >I also added the extra "account" line to the bottom of 
> "login" as requested,
> >but is there something wrong with this file which is 
> allowing me to log in
> >remotely and via 'su' ?
> >
> >Thanks again,
> >Richard.
> >
> >  
> >
> 
> 
> -- 
> --
> James Cooley
> Sr. Systems Analyst
> Information Technology
> Florida Tech
> 321-674-7999
> jcooley at it.fit.edu
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 



_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

More information about the redhat-list mailing list