try: +:root:192.168.0.2 -:root:ALL EXCEPT LOCAL Alternatively, since the rules are on a 'first match wins' basis you could set all of your allowed accesses first ( with + signs). At the end of the file, you can put: -:ALL:ALL which will deny everyone else. --James Cooley Richard Hobbs wrote: >Hello, > >OK, I have now made the following changes: > > >1. Put the system back to how it was before I started all this. > > >2. Add the following line into "/etc/pam.d/system-auth": > account required /lib/security/pam_access.so > > >3. Add the following line into "/etc/security/access.conf": > -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL > > >It now works perfectly! Everyone is banned from remotely logging into the >system except rhobbs, nbaker and root! > >I need to make one more change though... And it doesn't seem to work. I need >to ban root from logging in remotely except from certain IP addresses. > >I have tried the following, but it does not allow root to login even from >that IP address: > > -:ALL EXCEPT rhobbs nbaker root@xxxxxxxxxxx:ALL EXCEPT LOCAL > >I have also tried using the hostname, and hostname.domain.co.uk instead of >the IP address, but root still cannot log in from that host. > >Do you know how I can ban everyone from logging in remotely, except for a >few users, and how I can ban root from logging in from any machine except >particular ones? > >Thanks again, this is incredibly useful and massively appreciated :-) > >Richard. > > > -- -- James Cooley Sr. Systems Analyst Information Technology Florida Tech 321-674-7999 jcooley@xxxxxxxxxx -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
