Login restrictions in NIS environment
Richard Hobbs
richard.hobbs at crl.toshiba.co.uk
Thu Jun 9 15:18:07 UTC 2005
Hello,
Sorry to reply to my own email for the fifth time now, but here's the latest
update on this issue...
By making these changes...
----------------------------------------------------------------------
1. Add the following line to "/etc/pam.d/system-auth":
account required /lib/security/pam_access.so
2. Add the following lines to "/etc/security/access.conf":
+:root:stg2.crl.toshiba.co.uk stg-mkc5win.crl.toshiba.co.uk
-:root:ALL EXCEPT LOCAL
+:monitoring rhobbs nbaker:ALL
-:ALL:ALL EXCEPT LOCAL
----------------------------------------------------------------------
...it blocks out everyone as intended, and still allows monitoring, rhobbs
and nbaker to login, but it seems to block out IMAP connections - not after
a couple of hours though, instantly.
It appears to be the line in "/etc/pam.d/system-auth" that's causing the
issues, because even if I comment out all 4 lines in
"/etc/security/access.conf" it still denies IMAP logins.
Does anyone know why this is?
Thanks in advance,
Hobbs.
--
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard.hobbs at crl.toshiba.co.uk
Tel: +44 1223 376964 Mobile: +44 7811 803377
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> Sent: 09 June 2005 13:24
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
>
> Hello,
>
> OK, this problem is not caused by my mail client, or my
> client machine. Our
> test machine is actually refusing logins via IMAP after some time.
>
> It has been working perfectly for about 2 hours, but just now
> it has stopped
> accepting logins via IMAP from the "monitoring" user account again.
>
> Has anyone seen this bug before? Do you know if a later
> version of something
> fixes the problem?
>
> Thanks again,
> Hobbs.
>
> --
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard.hobbs at crl.toshiba.co.uk
> Tel: +44 1223 376964 Mobile: +44 7811 803377
>
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> > Sent: 09 June 2005 10:58
> > To: 'General Red Hat Linux discussion list'
> > Subject: RE: Login restrictions in NIS environment
> >
> > Hello,
> >
> > Apologies to all... My mail client and the machine it was on
> > actually needed
> > rebooting for some reason... IMAP authenticates perfectly now :-)
> >
> > Thanks to all who have helped!! Here's a summary of what I
> > required, and
> > what I have done to get it:
> >
> > Requirements:
> >
> > "root" can only log in from certain machines, and is banned
> > from all others
> > except LOCAL.
> > "rhobbs", "nbaker" and "monitoring" can log in from any machine.
> > All other users cannot login from anywhere except LOCAL.
> >
> > Resolution:
> >
> > 1. Add the following line to "/etc/pam.d/system-auth":
> > account required /lib/security/pam_access.so
> >
> > 2. Add the following lines to "/etc/security/access.conf":
> > +:root:stg2.crl.toshiba.co.uk stg-mkc5win.crl.toshiba.co.uk
> > -:root:ALL EXCEPT LOCAL
> > +:monitoring rhobbs nbaker:ALL
> > -:ALL:ALL EXCEPT LOCAL
> >
> > It seems to work perfectly! :-)
> >
> > Thanks again people!
> >
> > Hobbs.
> >
> > --
> > Richard Hobbs (Systems Administrator)
> > Toshiba Research Europe Ltd. - Speech Technology Group
> > Web: http://www.toshiba-europe.com/research/
> > Email: richard.hobbs at crl.toshiba.co.uk
> > Tel: +44 1223 376964 Mobile: +44 7811 803377
> >
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com
> > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Richard Hobbs
> > > Sent: 09 June 2005 09:15
> > > To: 'General Red Hat Linux discussion list'
> > > Subject: RE: Login restrictions in NIS environment
> > >
> > > Hello,
> > >
> > > Change of plan actually... Even commenting out that line in
> > > "/etc/pam.d/system-auth" doesn't make a difference... I still
> > > cannot login
> > > via IMAP.
> > >
> > > Thanks again for any suggestions.
> > >
> > > Hobbs.
> > >
> > > --
> > > Richard Hobbs (Systems Administrator)
> > > Toshiba Research Europe Ltd. - Speech Technology Group
> > > Web: http://www.toshiba-europe.com/research/
> > > Email: richard.hobbs at crl.toshiba.co.uk
> > > Tel: +44 1223 376964 Mobile: +44 7811 803377
> > >
> > > > -----Original Message-----
> > > > From: redhat-list-bounces at redhat.com
> > > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of
> Richard Hobbs
> > > > Sent: 09 June 2005 08:56
> > > > To: 'General Red Hat Linux discussion list'
> > > > Subject: RE: Login restrictions in NIS environment
> > > >
> > > > Hello,
> > > >
> > > > Thanks for all the help on this people :-) It's very much
> > > appreciated.
> > > >
> > > > I am now closer to a solution, but have a slightly different
> > > > problem. IMAP
> > > > logins are restricted - I shall explain my situation.
> > > >
> > > > The relevant files now look like this:
> > > >
> > > > /etc/pam.d/imap:
> > > > auth required /lib/security/pam_stack.so
> > > service=system-auth
> > > > account required /lib/security/pam_stack.so
> > > service=system-auth
> > > >
> > > > /etc/pam.d/login:
> > > > auth required /lib/security/pam_securetty.so
> > > > auth required /lib/security/pam_stack.so
> > > service=system-auth
> > > > auth required /lib/security/pam_nologin.so
> > > > account required /lib/security/pam_stack.so
> > > service=system-auth
> > > > password required /lib/security/pam_stack.so
> > > service=system-auth
> > > > session required /lib/security/pam_stack.so
> > > service=system-auth
> > > > session optional /lib/security/pam_console.so
> > > >
> > > > /etc/security/access.conf:
> > > > +:root:192.168.0.2
> > > > -:root:ALL EXCEPT LOCAL
> > > > +:monitoring rhobbs nbaker:ALL
> > > > -:ALL:ALL EXCEPT LOCAL
> > > >
> > > > /etc/pam.d/system-auth:
> > > > auth required /lib/security/pam_env.so
> > > > auth sufficient /lib/security/pam_unix.so
> > likeauth nullok
> > > > auth required /lib/security/pam_deny.so
> > > > account required /lib/security/pam_unix.so
> > > > account required /lib/security/pam_access.so
> > > > password required /lib/security/pam_cracklib.so
> > > retry=3 type=
> > > > password sufficient /lib/security/pam_unix.so nullok
> > > > use_authtok md5
> > > > shadow nis
> > > > password required /lib/security/pam_deny.so
> > > > session required /lib/security/pam_limits.so
> > > > session required /lib/security/pam_unix.so
> > > >
> > > > So, as you can see, both login and IMAP both use system-auth
> > > > for "account".
> > > >
> > > > "access.conf" allows root to login from 192.168.0.2 and
> > > denies it from
> > > > everywhere else except LOCAL. It also allows "monitoring",
> > > > "rhobbs" and
> > > > "nbaker" to login from anywhere, but then denies everyone
> > else from
> > > > everywhere except LOCAL. This seems to work fine.
> > > >
> > > > However, the user "monitoring" can not login via IMAP unless
> > > > the following
> > > > line is commented out of "/etc/pam.d/system-auth":
> > > >
> > > > account required /lib/security/pam_access.so
> > > >
> > > > Do you know why this is?? How can I fix it? Will any other
> > > > issues arrise
> > > > like this which we won't notice until they are tested?
> > > >
> > > > Thanks again,
> > > > Hobbs.
> > > >
> > > > --
> > > > Richard Hobbs (Systems Administrator)
> > > > Toshiba Research Europe Ltd. - Speech Technology Group
> > > > Web: http://www.toshiba-europe.com/research/
> > > > Email: richard.hobbs at crl.toshiba.co.uk
> > > > Tel: +44 1223 376964 Mobile: +44 7811 803377
> > > >
> > > > > -----Original Message-----
> > > > > From: redhat-list-bounces at redhat.com
> > > > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of
> > James Cooley
> > > > > Sent: 08 June 2005 20:26
> > > > > To: General Red Hat Linux discussion list
> > > > > Subject: Re: Login restrictions in NIS environment
> > > > >
> > > > > try:
> > > > >
> > > > > +:root:192.168.0.2
> > > > > -:root:ALL EXCEPT LOCAL
> > > > >
> > > > > Alternatively, since the rules are on a 'first match
> > > wins' basis you
> > > > > could set all of your allowed accesses first ( with +
> > > > signs). At the
> > > > > end of the file, you can put:
> > > > >
> > > > > -:ALL:ALL
> > > > >
> > > > > which will deny everyone else.
> > > > >
> > > > > --James Cooley
> > > > >
> > > > >
> > > > >
> > > > > Richard Hobbs wrote:
> > > > >
> > > > > >Hello,
> > > > > >
> > > > > >OK, I have now made the following changes:
> > > > > >
> > > > > >
> > > > > >1. Put the system back to how it was before I
> started all this.
> > > > > >
> > > > > >
> > > > > >2. Add the following line into "/etc/pam.d/system-auth":
> > > > > > account required /lib/security/pam_access.so
> > > > > >
> > > > > >
> > > > > >3. Add the following line into "/etc/security/access.conf":
> > > > > > -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> > > > > >
> > > > > >
> > > > > >It now works perfectly! Everyone is banned from remotely
> > > > > logging into the
> > > > > >system except rhobbs, nbaker and root!
> > > > > >
> > > > > >I need to make one more change though... And it doesn't seem
> > > > > to work. I need
> > > > > >to ban root from logging in remotely except from certain IP
> > > > > addresses.
> > > > > >
> > > > > >I have tried the following, but it does not allow root to
> > > > > login even from
> > > > > >that IP address:
> > > > > >
> > > > > > -:ALL EXCEPT rhobbs nbaker root at 192.168.0.2:ALL
> > EXCEPT LOCAL
> > > > > >
> > > > > >I have also tried using the hostname, and
> > > > > hostname.domain.co.uk instead of
> > > > > >the IP address, but root still cannot log in from that host.
> > > > > >
> > > > > >Do you know how I can ban everyone from logging in remotely,
> > > > > except for a
> > > > > >few users, and how I can ban root from logging in from any
> > > > > machine except
> > > > > >particular ones?
> > > > > >
> > > > > >Thanks again, this is incredibly useful and massively
> > > > appreciated :-)
> > > > > >
> > > > > >Richard.
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > --
> > > > > James Cooley
> > > > > Sr. Systems Analyst
> > > > > Information Technology
> > > > > Florida Tech
> > > > > 321-674-7999
> > > > > jcooley at it.fit.edu
> > > > >
> > > > > --
> > > > > redhat-list mailing list
> > > > > unsubscribe
> > > > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > >
> > > > >
> > > >
> > >
> >
> _____________________________________________________________________
> > > > > This e-mail has been scanned for viruses by MCI's Internet
> > > > > Managed Scanning Services - powered by MessageLabs. For
> > > > > further information visit http://www.mci.com
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> _____________________________________________________________________
> > > > This e-mail has been scanned for viruses by MCI's Internet
> > > > Managed Scanning Services - powered by MessageLabs. For
> > > > further information visit http://www.mci.com
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe
> > > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > > >
> > >
> >
> _____________________________________________________________________
> > > > This e-mail has been scanned for viruses by MCI's Internet
> > > > Managed Scanning Services - powered by MessageLabs. For
> > > > further information visit http://www.mci.com
> > > >
> > >
> > >
> > >
> > >
> >
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet
> > > Managed Scanning Services - powered by MessageLabs. For
> > > further information visit http://www.mci.com
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe
> > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > >
> >
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet
> > > Managed Scanning Services - powered by MessageLabs. For
> > > further information visit http://www.mci.com
> > >
> >
> >
> >
> >
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet
> > Managed Scanning Services - powered by MessageLabs. For
> > further information visit http://www.mci.com
> >
> > --
> > redhat-list mailing list
> > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet
> > Managed Scanning Services - powered by MessageLabs. For
> > further information visit http://www.mci.com
> >
> >
>
>
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet
> Managed Scanning Services - powered by MessageLabs. For
> further information visit http://www.mci.com
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet
> Managed Scanning Services - powered by MessageLabs. For
> further information visit http://www.mci.com
>
_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com
More information about the redhat-list
mailing list