[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Login restrictions in NIS environment



Hello,

Apologies to all... My mail client and the machine it was on actually needed
rebooting for some reason... IMAP authenticates perfectly now :-)

Thanks to all who have helped!! Here's a summary of what I required, and
what I have done to get it:

Requirements:

"root" can only log in from certain machines, and is banned from all others
except LOCAL.
"rhobbs", "nbaker" and "monitoring" can log in from any machine.
All other users cannot login from anywhere except LOCAL.

Resolution:

1. Add the following line to "/etc/pam.d/system-auth":
     account     required      /lib/security/pam_access.so

2. Add the following lines to "/etc/security/access.conf":
     +:root:stg2.crl.toshiba.co.uk stg-mkc5win.crl.toshiba.co.uk
     -:root:ALL EXCEPT LOCAL
     +:monitoring rhobbs nbaker:ALL
     -:ALL:ALL EXCEPT LOCAL

It seems to work perfectly! :-)

Thanks again people!

Hobbs.

-- 
Richard Hobbs (Systems Administrator)
Toshiba Research Europe Ltd. - Speech Technology Group
Web: http://www.toshiba-europe.com/research/
Email: richard hobbs crl toshiba co uk
Tel: +44 1223 376964        Mobile: +44 7811 803377 

> -----Original Message-----
> From: redhat-list-bounces redhat com 
> [mailto:redhat-list-bounces redhat com] On Behalf Of Richard Hobbs
> Sent: 09 June 2005 09:15
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Login restrictions in NIS environment
> 
> Hello,
> 
> Change of plan actually... Even commenting out that line in
> "/etc/pam.d/system-auth" doesn't make a difference... I still 
> cannot login
> via IMAP.
> 
> Thanks again for any suggestions.
> 
> Hobbs.
> 
> -- 
> Richard Hobbs (Systems Administrator)
> Toshiba Research Europe Ltd. - Speech Technology Group
> Web: http://www.toshiba-europe.com/research/
> Email: richard hobbs crl toshiba co uk
> Tel: +44 1223 376964        Mobile: +44 7811 803377 
> 
> > -----Original Message-----
> > From: redhat-list-bounces redhat com 
> > [mailto:redhat-list-bounces redhat com] On Behalf Of Richard Hobbs
> > Sent: 09 June 2005 08:56
> > To: 'General Red Hat Linux discussion list'
> > Subject: RE: Login restrictions in NIS environment
> > 
> > Hello,
> > 
> > Thanks for all the help on this people :-) It's very much 
> appreciated.
> > 
> > I am now closer to a solution, but have a slightly different 
> > problem. IMAP
> > logins are restricted - I shall explain my situation.
> > 
> > The relevant files now look like this:
> > 
> > /etc/pam.d/imap:
> > auth       required     /lib/security/pam_stack.so 
> service=system-auth
> > account    required     /lib/security/pam_stack.so 
> service=system-auth
> > 
> > /etc/pam.d/login:
> > auth       required     /lib/security/pam_securetty.so
> > auth       required     /lib/security/pam_stack.so 
> service=system-auth
> > auth       required     /lib/security/pam_nologin.so
> > account    required     /lib/security/pam_stack.so 
> service=system-auth
> > password   required     /lib/security/pam_stack.so 
> service=system-auth
> > session    required     /lib/security/pam_stack.so 
> service=system-auth
> > session    optional     /lib/security/pam_console.so
> > 
> > /etc/security/access.conf:
> > +:root:192.168.0.2
> > -:root:ALL EXCEPT LOCAL
> > +:monitoring rhobbs nbaker:ALL
> > -:ALL:ALL EXCEPT LOCAL
> > 
> > /etc/pam.d/system-auth:
> > auth        required      /lib/security/pam_env.so
> > auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> > auth        required      /lib/security/pam_deny.so
> > account     required      /lib/security/pam_unix.so
> > account     required      /lib/security/pam_access.so
> > password    required      /lib/security/pam_cracklib.so 
> retry=3 type=
> > password    sufficient    /lib/security/pam_unix.so nullok 
> > use_authtok md5
> > shadow nis
> > password    required      /lib/security/pam_deny.so
> > session     required      /lib/security/pam_limits.so
> > session     required      /lib/security/pam_unix.so
> > 
> > So, as you can see, both login and IMAP both use system-auth 
> > for "account".
> > 
> > "access.conf" allows root to login from 192.168.0.2 and 
> denies it from
> > everywhere else except LOCAL. It also allows "monitoring", 
> > "rhobbs" and
> > "nbaker" to login from anywhere, but then denies everyone else from
> > everywhere except LOCAL. This seems to work fine.
> > 
> > However, the user "monitoring" can not login via IMAP unless 
> > the following
> > line is commented out of "/etc/pam.d/system-auth":
> > 
> >      account     required      /lib/security/pam_access.so
> > 
> > Do you know why this is?? How can I fix it? Will any other 
> > issues arrise
> > like this which we won't notice until they are tested?
> > 
> > Thanks again,
> > Hobbs.
> > 
> > -- 
> > Richard Hobbs (Systems Administrator)
> > Toshiba Research Europe Ltd. - Speech Technology Group
> > Web: http://www.toshiba-europe.com/research/
> > Email: richard hobbs crl toshiba co uk
> > Tel: +44 1223 376964        Mobile: +44 7811 803377 
> > 
> > > -----Original Message-----
> > > From: redhat-list-bounces redhat com 
> > > [mailto:redhat-list-bounces redhat com] On Behalf Of James Cooley
> > > Sent: 08 June 2005 20:26
> > > To: General Red Hat Linux discussion list
> > > Subject: Re: Login restrictions in NIS environment
> > > 
> > > try:
> > > 
> > > +:root:192.168.0.2
> > > -:root:ALL EXCEPT LOCAL
> > > 
> > > Alternatively, since the rules are on a 'first match 
> wins' basis you
> > > could set all of your allowed accesses first ( with + 
> > signs).  At the
> > > end of the file, you can put:
> > > 
> > > -:ALL:ALL
> > > 
> > > which will deny everyone else.
> > > 
> > > --James Cooley
> > > 
> > > 
> > > 
> > > Richard Hobbs wrote:
> > > 
> > > >Hello,
> > > >
> > > >OK, I have now made the following changes:
> > > >
> > > >
> > > >1. Put the system back to how it was before I started all this.
> > > >
> > > >
> > > >2. Add the following line into "/etc/pam.d/system-auth":
> > > >     account    required     /lib/security/pam_access.so
> > > >
> > > >
> > > >3. Add the following line into "/etc/security/access.conf":
> > > >     -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL
> > > >
> > > >
> > > >It now works perfectly! Everyone is banned from remotely 
> > > logging into the
> > > >system except rhobbs, nbaker and root!
> > > >
> > > >I need to make one more change though... And it doesn't seem 
> > > to work. I need
> > > >to ban root from logging in remotely except from certain IP 
> > > addresses.
> > > >
> > > >I have tried the following, but it does not allow root to 
> > > login even from
> > > >that IP address:
> > > >
> > > >     -:ALL EXCEPT rhobbs nbaker root 192 168 0 2:ALL EXCEPT LOCAL
> > > >
> > > >I have also tried using the hostname, and 
> > > hostname.domain.co.uk instead of
> > > >the IP address, but root still cannot log in from that host.
> > > >
> > > >Do you know how I can ban everyone from logging in remotely, 
> > > except for a
> > > >few users, and how I can ban root from logging in from any 
> > > machine except
> > > >particular ones?
> > > >
> > > >Thanks again, this is incredibly useful and massively 
> > appreciated :-)
> > > >
> > > >Richard.
> > > >
> > > >  
> > > >
> > > 
> > > 
> > > -- 
> > > --
> > > James Cooley
> > > Sr. Systems Analyst
> > > Information Technology
> > > Florida Tech
> > > 321-674-7999
> > > jcooley it fit edu
> > > 
> > > -- 
> > > redhat-list mailing list
> > > unsubscribe 
> > mailto:redhat-list-request redhat com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > 
> > > 
> > 
> _____________________________________________________________________
> > > This e-mail has been scanned for viruses by MCI's Internet 
> > > Managed Scanning Services - powered by MessageLabs. For 
> > > further information visit http://www.mci.com
> > > 
> > 
> > 
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> > -- 
> > redhat-list mailing list
> > unsubscribe 
> mailto:redhat-list-request redhat com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> > 
> > 
> _____________________________________________________________________
> > This e-mail has been scanned for viruses by MCI's Internet 
> > Managed Scanning Services - powered by MessageLabs. For 
> > further information visit http://www.mci.com
> > 
> 
> 
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> 



_____________________________________________________________________
This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]