Login restrictions in NIS environment

Richard Hobbs richard.hobbs at crl.toshiba.co.uk
Wed Jun 8 14:23:08 UTC 2005 

Hello,

OK, I now have a partly working solution... It disallows me from logging in
directly on the console, and it still allows everyone else access. I am
using James Cooley's suggestion of pam_access.

However, if I log in as root and 'su' to myself, it allows it, and if I SSH
into the machine as myself it allows it.

How can I stop my account from logging in via SSH as well using this method?

Here are the files from our test machine:

/etc/pam.d/login:
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so
account    required     /lib/security/pam_access.so

/etc/pam.d/rlogin:
#%PAM-1.0
account    required     /lib/security/pam_access.so

/etc/pam.d/rsh:
#%PAM-1.0
account    required     /lib/security/pam_access.so

/etc/pam.d/ftp:
#%PAM-1.0
account    required     /lib/security/pam_access.so

I had to create "rlogin", "rsh" and "ftp" because they did not exist.

I also added the extra "account" line to the bottom of "login" as requested,
but is there something wrong with this file which is allowing me to log in
remotely and via 'su' ?

Thanks again,
Richard.

-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> Sent: 08 June 2005 14:44
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
> 
> Hello,
> 
> OK, I have now tried the following ideas, and none of them 
> have worked:
> 
> 1. Add the following to /etc/hosts.deny:
>      sshd: rhobbs at ALL, PARANOID
> 
> 2. Add the following to /etc/security/access.conf:
>      -:rhobbs nbaker:ALL
> 
> I didn't do the exact method that you suggested for 
> "/etc/hosts.allow" and
> "/etc/hosts.deny", because that seems to ban everything, and then let
> certain things through. I want to let everything through, and just ban
> certain users from sshd, so that's why I did step 1 in that way.
> 
> As for step 2, I don't know why this didn't work... The 
> "access.conf" file
> already existing, so I assume it is installed and running, 
> but perhaps it is
> not? I'll read the documentation on this one to see if it gives any
> pointers.
> 
> If you have any other advice, please let me know.
> 
> Thanks again,
> Richard.
> 
> -- 
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard.hobbs at crl.toshiba.co.uk
> Tel: +44 1223 376964        Mobile: +44 7811 803377 
> 
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com 
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Cecilio Marín
> > Sent: 08 June 2005 12:36
> > To: General Red Hat Linux discussion list
> > Subject: Re: Login restrictions in NIS environment
> > 
> > Well, the second method is a possible solution.
> > 
> > Services: DNS, HTTPD, NIS...
> > 
> > #/etc/hosts.allow
> > ypserv: ALL
> > httpd: ALL EXCEPT fred at ALL
> > bind: ALL EXCEPT fred at ALL
> > ....
> > <daemon>: ALL EXCEPT fred at ALL
> > 
> > #/etc/hosts.deny
> > #Very restrictive
> > ALL: ALL at ALL, PARANOID
> > 
> > But the problem is if the daemons are not ready to use 
> > wrappers (this is 
> > defined on compilation time of daemons).
> > 
> > Slts.
> > 
> > Richard Hobbs escribió:
> > 
> > >Hello,
> > >
> > >Banning particular IP addresses is useless to us... We need to ban
> > >particular users.
> > >
> > >For example, if we ban fred's machine, fred can still log in from a
> > >different machine. We need to ban fred from every machine, 
> > but he still
> > >needs to be able to log into other machines on the network.
> > >
> > >Thanks again,
> > >Richard.
> > >
> > >  
> > >
> > 
> > 
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> > 
> 
> 
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 



_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

More information about the redhat-list mailing list