You can prevent the SSH login by adding pam_access to /etc/pam.d/system-auth instead of /etc/pam.d/login. The system-auth stack is called by both login and ssh access. As for su, there really isn't any way that I know of to prevent that, except by not making the user available in nis. --James Cooley Richard Hobbs wrote: >Hello, > >OK, I now have a partly working solution... It disallows me from logging in >directly on the console, and it still allows everyone else access. I am >using James Cooley's suggestion of pam_access. > >However, if I log in as root and 'su' to myself, it allows it, and if I SSH >into the machine as myself it allows it. > >How can I stop my account from logging in via SSH as well using this method? > >Here are the files from our test machine: > >/etc/pam.d/login: >#%PAM-1.0 >auth required /lib/security/pam_securetty.so >auth required /lib/security/pam_stack.so service=system-auth >auth required /lib/security/pam_nologin.so >account required /lib/security/pam_stack.so service=system-auth >password required /lib/security/pam_stack.so service=system-auth >session required /lib/security/pam_stack.so service=system-auth >session optional /lib/security/pam_console.so >account required /lib/security/pam_access.so > >/etc/pam.d/rlogin: >#%PAM-1.0 >account required /lib/security/pam_access.so > >/etc/pam.d/rsh: >#%PAM-1.0 >account required /lib/security/pam_access.so > >/etc/pam.d/ftp: >#%PAM-1.0 >account required /lib/security/pam_access.so > >I had to create "rlogin", "rsh" and "ftp" because they did not exist. > >I also added the extra "account" line to the bottom of "login" as requested, >but is there something wrong with this file which is allowing me to log in >remotely and via 'su' ? > >Thanks again, >Richard. > > > -- -- James Cooley Sr. Systems Analyst Information Technology Florida Tech 321-674-7999 jcooley@xxxxxxxxxx -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
