Login restrictions in NIS environment
Richard Hobbs
richard.hobbs at crl.toshiba.co.uk
Wed Jun 8 15:50:06 UTC 2005
Hello,
OK, I have now made the following changes:
1. Put the system back to how it was before I started all this.
2. Add the following line into "/etc/pam.d/system-auth":
account required /lib/security/pam_access.so
3. Add the following line into "/etc/security/access.conf":
-:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
It now works perfectly! Everyone is banned from remotely logging into the
system except rhobbs, nbaker and root!
I need to make one more change though... And it doesn't seem to work. I need
to ban root from logging in remotely except from certain IP addresses.
I have tried the following, but it does not allow root to login even from
that IP address:
-:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL EXCEPT LOCAL
I have also tried using the hostname, and hostname.domain.co.uk instead of
the IP address, but root still cannot log in from that host.
Do you know how I can ban everyone from logging in remotely, except for a
few users, and how I can ban root from logging in from any machine except
particular ones?
Thanks again, this is incredibly useful and massively appreciated :-)
Richard.
--
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964 Mobile: +44 7811 803377
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of James Cooley
> Sent: 08 June 2005 15:33
> To: General Red Hat Linux discussion list
> Subject: Re: Login restrictions in NIS environment
>
> You can prevent the SSH login by adding pam_access to
> /etc/pam.d/system-auth instead of /etc/pam.d/login. The
> system-auth
> stack is called by both login and ssh access.
>
> As for su, there really isn't any way that I know of to prevent that,
> except by not making the user available in nis.
>
> --James Cooley
>
>
> Richard Hobbs wrote:
>
> >Hello,
> >
> >OK, I now have a partly working solution... It disallows me
> from logging in
> >directly on the console, and it still allows everyone else
> access. I am
> >using James Cooley's suggestion of pam_access.
> >
> >However, if I log in as root and 'su' to myself, it allows
> it, and if I SSH
> >into the machine as myself it allows it.
> >
> >How can I stop my account from logging in via SSH as well
> using this method?
> >
> >Here are the files from our test machine:
> >
> >/etc/pam.d/login:
> >#%PAM-1.0
> >auth required /lib/security/pam_securetty.so
> >auth required /lib/security/pam_stack.so
> service=system-auth
> >auth required /lib/security/pam_nologin.so
> >account required /lib/security/pam_stack.so
> service=system-auth
> >password required /lib/security/pam_stack.so
> service=system-auth
> >session required /lib/security/pam_stack.so
> service=system-auth
> >session optional /lib/security/pam_console.so
> >account required /lib/security/pam_access.so
> >
> >/etc/pam.d/rlogin:
> >#%PAM-1.0
> >account required /lib/security/pam_access.so
> >
> >/etc/pam.d/rsh:
> >#%PAM-1.0
> >account required /lib/security/pam_access.so
> >
> >/etc/pam.d/ftp:
> >#%PAM-1.0
> >account required /lib/security/pam_access.so
> >
> >I had to create "rlogin", "rsh" and "ftp" because they did not exist.
> >
> >I also added the extra "account" line to the bottom of
> "login" as requested,
> >but is there something wrong with this file which is
> allowing me to log in
> >remotely and via 'su' ?
> >
> >Thanks again,
> >Richard.
> >
> >
> >
>
>
> --
> --
> James Cooley
> Sr. Systems Analyst
> Information Technology
> Florida Tech
> 321-674-7999
> jcooley at it.fit.edu
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet
> Managed Scanning Services - powered by MessageLabs. For
> further information visit http://www.mci.com
>
_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
More information about the redhat-list
mailing list