Problems with pam_nologin.so
Viswanath Kasi
viswanath.kvg at gmail.com
Wed May 12 22:13:03 UTC 2010
Yes you are right Micheal.It was my bad.My initial configuration uses
permit.so which is a promiscuous module,where as your configuration doesn't,
making this even less intrusive, as you stated.It works perfectly.
Regards,
Viswanath
On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael <
michael.hebenstreit at intel.com> wrote:
> *confused*
>
> From documentation I got:
> **
> *default*, implies 'all *valueN*'s not mentioned explicitly. Note, the
> full list of PAM errors is available in /usr/include/security/_pam_types.h.
> The *actionN* can be: an unsigned integer, *n*, signifying an action of
> 'jump over the next *n* modules in the stack';
>
> and the example
>
> Given that the type matches, only loads the othermodule rule if the UID is
> over 500. Adjust the number after default to skip several rules.
>
> type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
> type required othermodule.so arguments...
>
> as I understand - the default action is to skip the next line; the default
> action is executed in the case of failure.
>
> auth include system-auth
> account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup
> <group_name>
> account required pam_nologin.so
> account include system-auth
> Standard users are not in <group_name>. The test succeeds, and so the
> next line is executed - requiring "no_login". For administrators the tests
> fails, as they are members of the group <group_name>, default kicks in and
> the no_login line is jumped over
>
> my tests indicate it works, so I'm a little bit confused now
> could you please clarify?
>
> thanks
> Michael
>
> ------------------------------
> *From:* Viswanath Kasi [mailto:viswanath.kvg at gmail.com]
> *Sent:* Wednesday, May 12, 2010 11:14 AM
>
> *To:* Hebenstreit, Michael
> *Cc:* pam-list at redhat.com; rohan.lahiri at gmail.com
> *Subject:* Re: Problems with pam_nologin.so
>
> This would be quite opposite to our basic requirement i.e "to allow certain
> users (eg the administrators) access to a system even when /etc/nologin is
> present".This modification would provide the session to any authenticated
> user who is not in the admin group.
>
> Regards,
> Viswanath
>
>
> On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <
> michael.hebenstreit at intel.com> wrote:
>
>> was drowned in work - thanks for the answer, but what do you think
>> about:
>>
>> auth include system-auth
>> account [default=1 success=ignore] pam_succeed_if.so quiet
>> user ingroup <group_name>
>> account required pam_nologin.so
>> account include system-auth
>>
>> isn't that even less intrusive? I skip the nologin check for everyone in
>> "group_name"
>> thanks
>> Michael
>>
>> ------------------------------
>> *From:* Viswanath Kasi [mailto:viswanath.kvg at gmail.com]
>> *Sent:* Thursday, May 06, 2010 6:52 AM
>> *To:* Hebenstreit, Michael
>> *Cc:* pam-list at redhat.com; rohan.lahiri at gmail.com
>> *Subject:* Re: Problems with pam_nologin.so
>>
>> Micheal,
>>
>> You can also try this for multiple users based on a group
>>
>> account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup
>> <group_name>
>> account sufficient pam_permit.so
>> account required pam_nologin.so
>> account include system-auth
>>
>> Regards,
>>
>> Viswanath
>>
>>
>> On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg at gmail.com>wrote:
>>
>>> Hi! Michael
>>>
>>> I made the following changes which worked for me on sshd service with out
>>> changing system auth.
>>>
>>> auth include system-auth
>>> account [default=1 success=ignore] pam_succeed_if.so quiet user =
>>> <user>
>>> account sufficient pam_permit.so
>>> account required pam_nologin.so
>>> account include system-auth
>>>
>>> You can try this..!
>>>
>>> Regards,
>>>
>>> Viswanath
>>>
>>>
>>>
>>> On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <
>>> michael.hebenstreit at intel.com> wrote:
>>>
>>>> I'm sorry to hit the entire list with this question but after some hours
>>>> research I'm still unable to find a solution to my problem. I need a way to
>>>> allow certain users (eg the administrators) access to a system even when
>>>> /etc/nologin is present. The orginal Redhat 5 config read like:
>>>>
>>>> auth include system-auth
>>>> account required pam_nologin.so
>>>> account include system-auth
>>>> ....
>>>>
>>>> with system-auth containing
>>>>
>>>> ...
>>>> account required pam_unix.so
>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>> account required pam_permit.so
>>>> ...
>>>>
>>>> My modification would be:
>>>>
>>>> #%PAM-1.0
>>>> auth include system-auth
>>>> account include system-auth
>>>> account sufficient pam_listfile.so onerr=fail item=user
>>>> sense=allow file=/etc/admins
>>>> account required pam_nologin.so
>>>> ....
>>>>
>>>> Which holes do I open by moving pam_nologin.so to the end of the stack?
>>>> Are there better ways to reach my goal?
>>>>
>>>> thanks for any help
>>>> Michael
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> Michael Hebenstreit Senior Cluster Architect
>>>> Intel Corporation Software and Services Group/DRD
>>>> 2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
>>>> WA 98327, DuPont
>>>> UNITED STATES E-mail:
>>>> michael.hebenstreit at intel.com
>>>>
>>>> _______________________________________________
>>>> Pam-list mailing list
>>>> Pam-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20100513/d9a44e8b/attachment.htm>
More information about the Pam-list
mailing list