Login restrictions in NIS environment
Richard Hobbs
richard.hobbs at crl.toshiba.co.uk
Thu Jun 9 08:15:19 UTC 2005
Hello,
Change of plan actually... Even commenting out that line in
"/etc/pam.d/system-auth" doesn't make a difference... I still cannot login
via IMAP.
Thanks again for any suggestions.
Hobbs.
--
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964 Mobile: +44 7811 803377
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> Sent: 09 June 2005 08:56
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
>
> Hello,
>
> Thanks for all the help on this people :-) It's very much appreciated.
>
> I am now closer to a solution, but have a slightly different
> problem. IMAP
> logins are restricted - I shall explain my situation.
>
> The relevant files now look like this:
>
> /etc/pam.d/imap:
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
>
> /etc/pam.d/login:
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> /etc/security/access.conf:
> +:root:192.168.0.2
> -:root:ALL EXCEPT LOCAL
> +:monitoring rhobbs nbaker:ALL
> -:ALL:ALL EXCEPT LOCAL
>
> /etc/pam.d/system-auth:
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth required /lib/security/pam_deny.so
> account required /lib/security/pam_unix.so
> account required /lib/security/pam_access.so
> password required /lib/security/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/pam_unix.so nullok
> use_authtok md5
> shadow nis
> password required /lib/security/pam_deny.so
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
>
> So, as you can see, both login and IMAP both use system-auth
> for "account".
>
> "access.conf" allows root to login from 192.168.0.2 and denies it from
> everywhere else except LOCAL. It also allows "monitoring",
> "rhobbs" and
> "nbaker" to login from anywhere, but then denies everyone else from
> everywhere except LOCAL. This seems to work fine.
>
> However, the user "monitoring" can not login via IMAP unless
> the following
> line is commented out of "/etc/pam.d/system-auth":
>
> account required /lib/security/pam_access.so
>
> Do you know why this is?? How can I fix it? Will any other
> issues arrise
> like this which we won't notice until they are tested?
>
> Thanks again,
> Hobbs.
>
> --
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard.hobbs at crl.toshiba.co.uk
> Tel: +44 1223 376964 Mobile: +44 7811 803377
>
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of James Cooley
> > Sent: 08 June 2005 20:26
> > To: General Red Hat Linux discussion list
> > Subject: Re: Login restrictions in NIS environment
> >
> > try:
> >
> > +:root:192.168.0.2
> > -:root:ALL EXCEPT LOCAL
> >
> > Alternatively, since the rules are on a 'first match wins' basis you
> > could set all of your allowed accesses first ( with +
> signs). At the
> > end of the file, you can put:
> >
> > -:ALL:ALL
> >
> > which will deny everyone else.
> >
> > --James Cooley
> >
> >
> >
> > Richard Hobbs wrote:
> >
> > >Hello,
> > >
> > >OK, I have now made the following changes:
> > >
> > >
> > >1. Put the system back to how it was before I started all this.
> > >
> > >
> > >2. Add the following line into "/etc/pam.d/system-auth":
> > > account required /lib/security/pam_access.so
> > >
> > >
> > >3. Add the following line into "/etc/security/access.conf":
> > > -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> > >
> > >
> > >It now works perfectly! Everyone is banned from remotely
> > logging into the
> > >system except rhobbs, nbaker and root!
> > >
> > >I need to make one more change though... And it doesn't seem
> > to work. I need
> > >to ban root from logging in remotely except from certain IP
> > addresses.
> > >
> > >I have tried the following, but it does not allow root to
> > login even from
> > >that IP address:
> > >
> > > -:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL EXCEPT LOCAL
> > >
> > >I have also tried using the hostname, and
> > hostname.domain.co.uk instead of
> > >the IP address, but root still cannot log in from that host.
> > >
> > >Do you know how I can ban everyone from logging in remotely,
> > except for a
> > >few users, and how I can ban root from logging in from any
> > machine except
> > >particular ones?
> > >
> > >Thanks again, this is incredibly useful and massively
> appreciated :-)
> > >
> > >Richard.
> > >
> > >
> > >
> >
> >
> > --
> > --
> > James Cooley
> > Sr. Systems Analyst
> > Information Technology
> > Florida Tech
> > 321-674-7999
> > jcooley at it.fit.edu
> >
> > --
> > redhat-list mailing list
> > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet
> > Managed Scanning Services - powered by MessageLabs. For
> > further information visit http://www.mci.com
> >
>
>
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet
> Managed Scanning Services - powered by MessageLabs. For
> further information visit http://www.mci.com
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet
> Managed Scanning Services - powered by MessageLabs. For
> further information visit http://www.mci.com
>
_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
More information about the redhat-list
mailing list