Login restrictions in NIS environment

Richard Hobbs richard.hobbs at crl.toshiba.co.uk
Thu Jun 9 07:56:06 UTC 2005 

Hello,

Thanks for all the help on this people :-) It's very much appreciated.

I am now closer to a solution, but have a slightly different problem. IMAP
logins are restricted - I shall explain my situation.

The relevant files now look like this:

/etc/pam.d/imap:
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth

/etc/pam.d/login:
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

/etc/security/access.conf:
+:root:192.168.0.2
-:root:ALL EXCEPT LOCAL
+:monitoring rhobbs nbaker:ALL
-:ALL:ALL EXCEPT LOCAL

/etc/pam.d/system-auth:
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_access.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow nis
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

So, as you can see, both login and IMAP both use system-auth for "account".

"access.conf" allows root to login from 192.168.0.2 and denies it from
everywhere else except LOCAL. It also allows "monitoring", "rhobbs" and
"nbaker" to login from anywhere, but then denies everyone else from
everywhere except LOCAL. This seems to work fine.

However, the user "monitoring" can not login via IMAP unless the following
line is commented out of "/etc/pam.d/system-auth":

     account     required      /lib/security/pam_access.so

Do you know why this is?? How can I fix it? Will any other issues arrise
like this which we won't notice until they are tested?

Thanks again,
Hobbs.

-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of James Cooley
> Sent: 08 June 2005 20:26
> To: General Red Hat Linux discussion list
> Subject: Re: Login restrictions in NIS environment
> 
> try:
> 
> +:root:192.168.0.2
> -:root:ALL EXCEPT LOCAL
> 
> Alternatively, since the rules are on a 'first match wins' basis you
> could set all of your allowed accesses first ( with + signs).  At the
> end of the file, you can put:
> 
> -:ALL:ALL
> 
> which will deny everyone else.
> 
> --James Cooley
> 
> 
> 
> Richard Hobbs wrote:
> 
> >Hello,
> >
> >OK, I have now made the following changes:
> >
> >
> >1. Put the system back to how it was before I started all this.
> >
> >
> >2. Add the following line into "/etc/pam.d/system-auth":
> >     account    required     /lib/security/pam_access.so
> >
> >
> >3. Add the following line into "/etc/security/access.conf":
> >     -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> >
> >
> >It now works perfectly! Everyone is banned from remotely 
> logging into the
> >system except rhobbs, nbaker and root!
> >
> >I need to make one more change though... And it doesn't seem 
> to work. I need
> >to ban root from logging in remotely except from certain IP 
> addresses.
> >
> >I have tried the following, but it does not allow root to 
> login even from
> >that IP address:
> >
> >     -:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL EXCEPT LOCAL
> >
> >I have also tried using the hostname, and 
> hostname.domain.co.uk instead of
> >the IP address, but root still cannot log in from that host.
> >
> >Do you know how I can ban everyone from logging in remotely, 
> except for a
> >few users, and how I can ban root from logging in from any 
> machine except
> >particular ones?
> >
> >Thanks again, this is incredibly useful and massively appreciated :-)
> >
> >Richard.
> >
> >  
> >
> 
> 
> -- 
> --
> James Cooley
> Sr. Systems Analyst
> Information Technology
> Florida Tech
> 321-674-7999
> jcooley at it.fit.edu
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 



_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

More information about the redhat-list mailing list