I would have thought in access.conf, add at the top +:root:allowed_machine_name_or_address -:ALL EXCEPT rhobbs nbaker should do the trick. Peter -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Richard Hobbs Sent: 08 June 2005 16:50 To: 'General Red Hat Linux discussion list' Subject: RE: Login restrictions in NIS environment Hello, OK, I have now made the following changes: 1. Put the system back to how it was before I started all this. 2. Add the following line into "/etc/pam.d/system-auth": account required /lib/security/pam_access.so 3. Add the following line into "/etc/security/access.conf": -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL It now works perfectly! Everyone is banned from remotely logging into the system except rhobbs, nbaker and root! I need to make one more change though... And it doesn't seem to work. I need to ban root from logging in remotely except from certain IP addresses. I have tried the following, but it does not allow root to login even from that IP address: -:ALL EXCEPT rhobbs nbaker root@xxxxxxxxxxx:ALL EXCEPT LOCAL I have also tried using the hostname, and hostname.domain.co.uk instead of the IP address, but root still cannot log in from that host. Do you know how I can ban everyone from logging in remotely, except for a few users, and how I can ban root from logging in from any machine except particular ones? Thanks again, this is incredibly useful and massively appreciated :-) Richard. -- Richard Hobbs (Systems Administrator) Toshiba Research Europe Ltd. - Speech Technology Group Web: http://www.toshiba-europe.com/research/ Email: richard.hobbs@xxxxxxxxxxxxxxxxx Tel: +44 1223 376964 Mobile: +44 7811 803377 > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of James Cooley > Sent: 08 June 2005 15:33 > To: General Red Hat Linux discussion list > Subject: Re: Login restrictions in NIS environment > > You can prevent the SSH login by adding pam_access to > /etc/pam.d/system-auth instead of /etc/pam.d/login. The > system-auth > stack is called by both login and ssh access. > > As for su, there really isn't any way that I know of to prevent that, > except by not making the user available in nis. > > --James Cooley > > > Richard Hobbs wrote: > > >Hello, > > > >OK, I now have a partly working solution... It disallows me > from logging in > >directly on the console, and it still allows everyone else > access. I am > >using James Cooley's suggestion of pam_access. > > > >However, if I log in as root and 'su' to myself, it allows > it, and if I SSH > >into the machine as myself it allows it. > > > >How can I stop my account from logging in via SSH as well > using this method? > > > >Here are the files from our test machine: > > > >/etc/pam.d/login: > >#%PAM-1.0 > >auth required /lib/security/pam_securetty.so > >auth required /lib/security/pam_stack.so > service=system-auth > >auth required /lib/security/pam_nologin.so > >account required /lib/security/pam_stack.so > service=system-auth > >password required /lib/security/pam_stack.so > service=system-auth > >session required /lib/security/pam_stack.so > service=system-auth > >session optional /lib/security/pam_console.so > >account required /lib/security/pam_access.so > > > >/etc/pam.d/rlogin: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >/etc/pam.d/rsh: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >/etc/pam.d/ftp: > >#%PAM-1.0 > >account required /lib/security/pam_access.so > > > >I had to create "rlogin", "rsh" and "ftp" because they did not exist. > > > >I also added the extra "account" line to the bottom of > "login" as requested, > >but is there something wrong with this file which is > allowing me to log in > >remotely and via 'su' ? > > > >Thanks again, > >Richard. > > > > > > > > > -- > -- > James Cooley > Sr. Systems Analyst > Information Technology > Florida Tech > 321-674-7999 > jcooley@xxxxxxxxxx > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
