RE: Problems with pam_nologin.so

"Hebenstreit, Michael" <michael.hebenstreit@xxxxxxxxx> · Wed, 12 May 2010 11:52:35 -0700

*confused*

From documentation I got:

default, implies 
'all valueN's not mentioned explicitly. 
Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can 
be: an unsigned integer, n, signifying an 
action of 'jump over the next n modules in 
the stack';

and the example

Given that the type matches, only loads the othermodule rule if the UID is 
over 500. Adjust the number after default to skip several rules. 
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...
as I understand - the default action is to skip the next line; 
the default action is executed in the case of failure. 

    auth       
include      system-auth

    account  [default=1 success=ignore] 
pam_succeed_if.so quiet user notingroup 
<group_name>
    account    
required     pam_nologin.so

account    include      
system-auth

Standard users are not in 
<group_name>. The test succeeds, and so the next line is executed - 
requiring "no_login".  For administrators the tests fails, as they are 
members of the group <group_name>, default kicks in and the no_login line 
is jumped over

my tests indicate it works, so I'm a little bit 
confused now
could you please 
clarify?

thanks
Michael

From: Viswanath Kasi 
[mailto:viswanath.kvg@xxxxxxxxx] 
Sent: Wednesday, May 12, 2010 11:14 
AM
To: Hebenstreit, Michael
Cc: pam-list@xxxxxxxxxx; 
rohan.lahiri@xxxxxxxxx
Subject: Re: Problems with 
pam_nologin.so

This would be quite opposite to our basic requirement i.e "to allow 
certain users (eg the administrators) access to a system even when /etc/nologin 
is present".This modification would provide the session to any authenticated 
user who is not in the admin group.

Regards,
Viswanath

On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael 
<michael.hebenstreit@xxxxxxxxx> 
wrote:

  was 
  drowned in work - thanks for the answer, but what do you think 
  about:

      auth       
  include      system-auth

      account  [default=1 
  success=ignore] pam_succeed_if.so quiet user ingroup 
  <group_name>

      account    
  required     pam_nologin.so

  account    include      
  system-auth

  isn't that even less 
  intrusive? I skip the nologin check for everyone in 
  "group_name"
  thanks
  Michael

  From: Viswanath Kasi [mailto:viswanath.kvg@xxxxxxxxx] 
Sent: Thursday, May 06, 
  2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list@xxxxxxxxxx; rohan.lahiri@xxxxxxxxx
Subject: Re: Problems with 
  pam_nologin.so

  Micheal, 

  You can also try this for multiple users based on a group

  account  [default=1 success=ignore] pam_succeed_if.so quiet user 
  ingroup <group_name>
  account  sufficient     pam_permit.so
  account    required     pam_nologin.so
  account    include      system-auth

Regards,

Viswanath

  On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg@xxxxxxxxx> wrote:

  Hi! Michael 

    I made the following changes which worked for me on sshd service with 
    out changing system auth.

    auth 
          include      system-auth

    account  [default=1 success=ignore] pam_succeed_if.so quiet user = 
    <user>
    account  sufficient     pam_permit.so

    account    required     pam_nologin.so
    account    include      system-auth

    You can try this..!

Regards,

Viswanath 

    On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael 
    <michael.hebenstreit@xxxxxxxxx> wrote:

    I'm sorry to hit the entire list with this question but 
      after some hours research I'm still unable to find a solution to my 
      problem. I need a way to allow certain users (eg the administrators) 
      access to a system even when /etc/nologin is present. The orginal Redhat 5 
      config read like:

 auth       include   
         system-auth
 account    required   
        pam_nologin.so
 account    include     
       system-auth
 ....

with system-auth 
      containing

 ...
 account     required   
         pam_unix.so
 account     sufficient   
       pam_succeed_if.so uid < 500 quiet
 account     
      required      pam_permit.so
 ...

My 
      modification would be:

 #%PAM-1.0
 auth     
        include      system-auth
 account   
       include      system-auth
 account   
       sufficient   pam_listfile.so  item=user sense=allow 
      file=/etc/admins
 account    required     
      pam_nologin.so
 ....

Which holes do I open by moving 
      pam_nologin.so to the end of the stack? Are there better ways to reach my 
      goal?

thanks for any 
      help
Michael

------------------------------------------------------------------------
Michael 
      Hebenstreit                 Senior 
      Cluster Architect
Intel Corporation           
              Software and Services Group/DRD
2800 N 
      Center Dr, DP3-307           Tel.:   +1 253 
      371 3144
WA 98327, DuPont
UNITED STATES         
                    E-mail: michael.hebenstreit@xxxxxxxxx

_______________________________________________
Pam-list 
      mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list