Re: Problems with pam_nologin.so

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.

Regards,
Viswanath


On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <michael.hebenstreit@xxxxxxxxx> wrote:
was drowned in work - thanks for the answer, but what do you think about:
 
    auth       include      system-auth
    account  [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>
    account    required     pam_nologin.so
    account    include      system-auth
 
isn't that even less intrusive? I skip the nologin check for everyone in "group_name"
thanks
Michael

From: Viswanath Kasi [mailto:viswanath.kvg@xxxxxxxxx]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list@xxxxxxxxxx; rohan.lahiri@xxxxxxxxx
Subject: Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account  [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>
account  sufficient     pam_permit.so
account    required     pam_nologin.so
account    include      system-auth

Regards,

Viswanath


On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg@xxxxxxxxx> wrote:
Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth       include      system-auth
account  [default=1 success=ignore] pam_succeed_if.so quiet user = <user>
account  sufficient     pam_permit.so
account    required     pam_nologin.so
account    include      system-auth

You can try this..!

Regards,

Viswanath



On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit@xxxxxxxxx> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

 auth       include      system-auth
 account    required     pam_nologin.so
 account    include      system-auth
 ....

with system-auth containing

 ...
 account     required      pam_unix.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 ...

My modification would be:

 #%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 account    sufficient   pam_listfile.so item=user sense=allow file=/etc/admins
 account    required     pam_nologin.so
 ....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael


------------------------------------------------------------------------
Michael Hebenstreit                 Senior Cluster Architect
Intel Corporation                   Software and Services Group/DRD
2800 N Center Dr, DP3-307           Tel.:   +1 253 371 3144
WA 98327, DuPont
UNITED STATES                       E-mail: michael.hebenstreit@xxxxxxxxx

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux