Login restrictions in NIS environment

Richard Hobbs richard.hobbs at crl.toshiba.co.uk
Thu Jun 9 12:23:42 UTC 2005 

Hello,

OK, this problem is not caused by my mail client, or my client machine. Our
test machine is actually refusing logins via IMAP after some time.

It has been working perfectly for about 2 hours, but just now it has stopped
accepting logins via IMAP from the "monitoring" user account again.

Has anyone seen this bug before? Do you know if a later version of something
fixes the problem?

Thanks again,
Hobbs.

-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> Sent: 09 June 2005 10:58
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
> 
> Hello,
> 
> Apologies to all... My mail client and the machine it was on 
> actually needed
> rebooting for some reason... IMAP authenticates perfectly now :-)
> 
> Thanks to all who have helped!! Here's a summary of what I 
> required, and
> what I have done to get it:
> 
> Requirements:
> 
> "root" can only log in from certain machines, and is banned 
> from all others
> except LOCAL.
> "rhobbs", "nbaker" and "monitoring" can log in from any machine.
> All other users cannot login from anywhere except LOCAL.
> 
> Resolution:
> 
> 1. Add the following line to "/etc/pam.d/system-auth":
>      account     required      /lib/security/pam_access.so
> 
> 2. Add the following lines to "/etc/security/access.conf":
>      +:root:stg2.crl.toshiba.co.uk stg-mkc5win.crl.toshiba.co.uk
>      -:root:ALL EXCEPT LOCAL
>      +:monitoring rhobbs nbaker:ALL
>      -:ALL:ALL EXCEPT LOCAL
> 
> It seems to work perfectly! :-)
> 
> Thanks again people!
> 
> Hobbs.
> 
> -- 
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard.hobbs at crl.toshiba.co.uk
> Tel: +44 1223 376964        Mobile: +44 7811 803377 
> 
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com 
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> > Sent: 09 June 2005 09:15
> > To: 'General Red Hat Linux discussion list'
> > Subject: RE: Login restrictions in NIS environment
> > 
> > Hello,
> > 
> > Change of plan actually... Even commenting out that line in
> > "/etc/pam.d/system-auth" doesn't make a difference... I still 
> > cannot login
> > via IMAP.
> > 
> > Thanks again for any suggestions.
> > 
> > Hobbs.
> > 
> > -- 
> > Richard Hobbs (Systems Administrator)
> > Toshiba Research Europe Ltd. - Speech Technology Group
> > Web: http://www.toshiba-europe.com/research/
> > Email: richard.hobbs at crl.toshiba.co.uk
> > Tel: +44 1223 376964        Mobile: +44 7811 803377 
> > 
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com 
> > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> > > Sent: 09 June 2005 08:56
> > > To: 'General Red Hat Linux discussion list'
> > > Subject: RE: Login restrictions in NIS environment
> > > 
> > > Hello,
> > > 
> > > Thanks for all the help on this people :-) It's very much 
> > appreciated.
> > > 
> > > I am now closer to a solution, but have a slightly different 
> > > problem. IMAP
> > > logins are restricted - I shall explain my situation.
> > > 
> > > The relevant files now look like this:
> > > 
> > > /etc/pam.d/imap:
> > > auth       required     /lib/security/pam_stack.so 
> > service=system-auth
> > > account    required     /lib/security/pam_stack.so 
> > service=system-auth
> > > 
> > > /etc/pam.d/login:
> > > auth       required     /lib/security/pam_securetty.so
> > > auth       required     /lib/security/pam_stack.so 
> > service=system-auth
> > > auth       required     /lib/security/pam_nologin.so
> > > account    required     /lib/security/pam_stack.so 
> > service=system-auth
> > > password   required     /lib/security/pam_stack.so 
> > service=system-auth
> > > session    required     /lib/security/pam_stack.so 
> > service=system-auth
> > > session    optional     /lib/security/pam_console.so
> > > 
> > > /etc/security/access.conf:
> > > +:root:192.168.0.2
> > > -:root:ALL EXCEPT LOCAL
> > > +:monitoring rhobbs nbaker:ALL
> > > -:ALL:ALL EXCEPT LOCAL
> > > 
> > > /etc/pam.d/system-auth:
> > > auth        required      /lib/security/pam_env.so
> > > auth        sufficient    /lib/security/pam_unix.so 
> likeauth nullok
> > > auth        required      /lib/security/pam_deny.so
> > > account     required      /lib/security/pam_unix.so
> > > account     required      /lib/security/pam_access.so
> > > password    required      /lib/security/pam_cracklib.so 
> > retry=3 type=
> > > password    sufficient    /lib/security/pam_unix.so nullok 
> > > use_authtok md5
> > > shadow nis
> > > password    required      /lib/security/pam_deny.so
> > > session     required      /lib/security/pam_limits.so
> > > session     required      /lib/security/pam_unix.so
> > > 
> > > So, as you can see, both login and IMAP both use system-auth 
> > > for "account".
> > > 
> > > "access.conf" allows root to login from 192.168.0.2 and 
> > denies it from
> > > everywhere else except LOCAL. It also allows "monitoring", 
> > > "rhobbs" and
> > > "nbaker" to login from anywhere, but then denies everyone 
> else from
> > > everywhere except LOCAL. This seems to work fine.
> > > 
> > > However, the user "monitoring" can not login via IMAP unless 
> > > the following
> > > line is commented out of "/etc/pam.d/system-auth":
> > > 
> > >      account     required      /lib/security/pam_access.so
> > > 
> > > Do you know why this is?? How can I fix it? Will any other 
> > > issues arrise
> > > like this which we won't notice until they are tested?
> > > 
> > > Thanks again,
> > > Hobbs.
> > > 
> > > -- 
> > > Richard Hobbs (Systems Administrator)
> > > Toshiba Research Europe Ltd. - Speech Technology Group
> > > Web: http://www.toshiba-europe.com/research/
> > > Email: richard.hobbs at crl.toshiba.co.uk
> > > Tel: +44 1223 376964        Mobile: +44 7811 803377 
> > > 
> > > > -----Original Message-----
> > > > From: redhat-list-bounces at redhat.com 
> > > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of 
> James Cooley
> > > > Sent: 08 June 2005 20:26
> > > > To: General Red Hat Linux discussion list
> > > > Subject: Re: Login restrictions in NIS environment
> > > > 
> > > > try:
> > > > 
> > > > +:root:192.168.0.2
> > > > -:root:ALL EXCEPT LOCAL
> > > > 
> > > > Alternatively, since the rules are on a 'first match 
> > wins' basis you
> > > > could set all of your allowed accesses first ( with + 
> > > signs).  At the
> > > > end of the file, you can put:
> > > > 
> > > > -:ALL:ALL
> > > > 
> > > > which will deny everyone else.
> > > > 
> > > > --James Cooley
> > > > 
> > > > 
> > > > 
> > > > Richard Hobbs wrote:
> > > > 
> > > > >Hello,
> > > > >
> > > > >OK, I have now made the following changes:
> > > > >
> > > > >
> > > > >1. Put the system back to how it was before I started all this.
> > > > >
> > > > >
> > > > >2. Add the following line into "/etc/pam.d/system-auth":
> > > > >     account    required     /lib/security/pam_access.so
> > > > >
> > > > >
> > > > >3. Add the following line into "/etc/security/access.conf":
> > > > >     -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> > > > >
> > > > >
> > > > >It now works perfectly! Everyone is banned from remotely 
> > > > logging into the
> > > > >system except rhobbs, nbaker and root!
> > > > >
> > > > >I need to make one more change though... And it doesn't seem 
> > > > to work. I need
> > > > >to ban root from logging in remotely except from certain IP 
> > > > addresses.
> > > > >
> > > > >I have tried the following, but it does not allow root to 
> > > > login even from
> > > > >that IP address:
> > > > >
> > > > >     -:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL 
> EXCEPT LOCAL
> > > > >
> > > > >I have also tried using the hostname, and 
> > > > hostname.domain.co.uk instead of
> > > > >the IP address, but root still cannot log in from that host.
> > > > >
> > > > >Do you know how I can ban everyone from logging in remotely, 
> > > > except for a
> > > > >few users, and how I can ban root from logging in from any 
> > > > machine except
> > > > >particular ones?
> > > > >
> > > > >Thanks again, this is incredibly useful and massively 
> > > appreciated :-)
> > > > >
> > > > >Richard.
> > > > >
> > > > >  
> > > > >
> > > > 
> > > > 
> > > > -- 
> > > > --
> > > > James Cooley
> > > > Sr. Systems Analyst
> > > > Information Technology
> > > > Florida Tech
> > > > 321-674-7999
> > > > jcooley at it.fit.edu
> > > > 
> > > > -- 
> > > > redhat-list mailing list
> > > > unsubscribe 
> > > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > 
> > > > 
> > > 
> > 
> _____________________________________________________________________
> > > > This e-mail has been scanned for viruses by MCI's Internet 
> > > > Managed Scanning Services - powered by MessageLabs. For 
> > > > further information visit http://www.mci.com
> > > > 
> > > 
> > > 
> > > 
> > > 
> > 
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet 
> > > Managed Scanning Services - powered by MessageLabs. For 
> > > further information visit http://www.mci.com
> > > 
> > > -- 
> > > redhat-list mailing list
> > > unsubscribe 
> > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > 
> > > 
> > 
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet 
> > > Managed Scanning Services - powered by MessageLabs. For 
> > > further information visit http://www.mci.com
> > > 
> > 
> > 
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> 
> 
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
> 



_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com

More information about the redhat-list mailing list