was drowned in work - thanks for the answer, but what do you
think about:
auth
include system-auth
account [default=1
success=ignore] pam_succeed_if.so quiet user notingroup
<group_name>
account
required pam_nologin.so
account include system-auth
account include system-auth
isn't
that even less intrusive? I skip the nologin check for everyone in
"group_name"
thanks
Michael
From: Viswanath Kasi [mailto:viswanath.kvg@xxxxxxxxx]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list@xxxxxxxxxx; rohan.lahiri@xxxxxxxxx
Subject: Re: Problems with pam_nologin.so
You can also try this for multiple users based on a group
account [default=1 success=ignore] pam_succeed_if.so quiet user
ingroup <group_name>
account sufficient pam_permit.so
account required pam_nologin.so
account include system-auth
Viswanath
On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg@xxxxxxxxx>
wrote:
Hi! MichaelI made the following changes which worked for me on sshd service with out changing system auth.auth include system-authaccount [default=1 success=ignore] pam_succeed_if.so quiet user = <user>account sufficient pam_permit.soaccount required pam_nologin.soaccount include system-authYou can try this..!Regards,
Viswanath
On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit@xxxxxxxxx> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:
auth include system-auth
account required pam_nologin.so
account include system-auth
....
with system-auth containing
...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...
My modification would be:
#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so item=user sense=allow file=/etc/admins
account required pam_nologin.so
....
Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?
thanks for any help
Michael
------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit@xxxxxxxxx
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list