Login restrictions in NIS environment

Richard Hobbs richard.hobbs at crl.toshiba.co.uk
Thu Jun 9 08:15:19 UTC 2005 

Hello,

Change of plan actually... Even commenting out that line in
"/etc/pam.d/system-auth" doesn't make a difference... I still cannot login
via IMAP.

Thanks again for any suggestions.

Hobbs.

-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> Sent: 09 June 2005 08:56
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
> 
> Hello,
> 
> Thanks for all the help on this people :-) It's very much appreciated.
> 
> I am now closer to a solution, but have a slightly different 
> problem. IMAP
> logins are restricted - I shall explain my situation.
> 
> The relevant files now look like this:
> 
> /etc/pam.d/imap:
> auth       required     /lib/security/pam_stack.so service=system-auth
> account    required     /lib/security/pam_stack.so service=system-auth
> 
> /etc/pam.d/login:
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
> 
> /etc/security/access.conf:
> +:root:192.168.0.2
> -:root:ALL EXCEPT LOCAL
> +:monitoring rhobbs nbaker:ALL
> -:ALL:ALL EXCEPT LOCAL
> 
> /etc/pam.d/system-auth:
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_unix.so
> account     required      /lib/security/pam_access.so
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok 
> use_authtok md5
> shadow nis
> password    required      /lib/security/pam_deny.so
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> 
> So, as you can see, both login and IMAP both use system-auth 
> for "account".
> 
> "access.conf" allows root to login from 192.168.0.2 and denies it from
> everywhere else except LOCAL. It also allows "monitoring", 
> "rhobbs" and
> "nbaker" to login from anywhere, but then denies everyone else from
> everywhere except LOCAL. This seems to work fine.
> 
> However, the user "monitoring" can not login via IMAP unless 
> the following
> line is commented out of "/etc/pam.d/system-auth":
> 
>      account     required      /lib/security/pam_access.so
> 
> Do you know why this is?? How can I fix it? Will any other 
> issues arrise
> like this which we won't notice until they are tested?
> 
> Thanks again,
> Hobbs.
> 
> -- 
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard.hobbs at crl.toshiba.co.uk
> Tel: +44 1223 376964        Mobile: +44 7811 803377 
> 
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com 
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of James Cooley
> > Sent: 08 June 2005 20:26
> > To: General Red Hat Linux discussion list
> > Subject: Re: Login restrictions in NIS environment
> > 
> > try:
> > 
> > +:root:192.168.0.2
> > -:root:ALL EXCEPT LOCAL
> > 
> > Alternatively, since the rules are on a 'first match wins' basis you
> > could set all of your allowed accesses first ( with + 
> signs).  At the
> > end of the file, you can put:
> > 
> > -:ALL:ALL
> > 
> > which will deny everyone else.
> > 
> > --James Cooley
> > 
> > 
> > 
> > Richard Hobbs wrote:
> > 
> > >Hello,
> > >
> > >OK, I have now made the following changes:
> > >
> > >
> > >1. Put the system back to how it was before I started all this.
> > >
> > >
> > >2. Add the following line into "/etc/pam.d/system-auth":
> > >     account    required     /lib/security/pam_access.so
> > >
> > >
> > >3. Add the following line into "/etc/security/access.conf":
> > >     -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> > >
> > >
> > >It now works perfectly! Everyone is banned from remotely 
> > logging into the
> > >system except rhobbs, nbaker and root!
> > >
> > >I need to make one more change though... And it doesn't seem 
> > to work. I need
> > >to ban root from logging in remotely except from certain IP 
> > addresses.
> > >
> > >I have tried the following, but it does not allow root to 
> > login even from
> > >that IP address:
> > >
> > >     -:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL EXCEPT LOCAL
> > >
> > >I have also tried using the hostname, and 
> > hostname.domain.co.uk instead of
> > >the IP address, but root still cannot log in from that host.
> > >
> > >Do you know how I can ban everyone from logging in remotely, 
> > except for a
> > >few users, and how I can ban root from logging in from any 
> > machine except
> > >particular ones?
> > >
> > >Thanks again, this is incredibly useful and massively 
> appreciated :-)
> > >
> > >Richard.
> > >
> > >  
> > >
> > 
> > 
> > -- 
> > --
> > James Cooley
> > Sr. Systems Analyst
> > Information Technology
> > Florida Tech
> > 321-674-7999
> > jcooley at it.fit.edu
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> 
> 
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 



_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

More information about the redhat-list mailing list