Hello, Change of plan actually... Even commenting out that line in "/etc/pam.d/system-auth" doesn't make a difference... I still cannot login via IMAP. Thanks again for any suggestions. Hobbs. -- Richard Hobbs (Systems Administrator) Toshiba Research Europe Ltd. - Speech Technology Group Web: http://www.toshiba-europe.com/research/ Email: richard.hobbs@xxxxxxxxxxxxxxxxx Tel: +44 1223 376964 Mobile: +44 7811 803377 > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Richard Hobbs > Sent: 09 June 2005 08:56 > To: 'General Red Hat Linux discussion list' > Subject: RE: Login restrictions in NIS environment > > Hello, > > Thanks for all the help on this people :-) It's very much appreciated. > > I am now closer to a solution, but have a slightly different > problem. IMAP > logins are restricted - I shall explain my situation. > > The relevant files now look like this: > > /etc/pam.d/imap: > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth > > /etc/pam.d/login: > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_stack.so service=system-auth > auth required /lib/security/pam_nologin.so > account required /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth > session required /lib/security/pam_stack.so service=system-auth > session optional /lib/security/pam_console.so > > /etc/security/access.conf: > +:root:192.168.0.2 > -:root:ALL EXCEPT LOCAL > +:monitoring rhobbs nbaker:ALL > -:ALL:ALL EXCEPT LOCAL > > /etc/pam.d/system-auth: > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > auth required /lib/security/pam_deny.so > account required /lib/security/pam_unix.so > account required /lib/security/pam_access.so > password required /lib/security/pam_cracklib.so retry=3 type= > password sufficient /lib/security/pam_unix.so nullok > use_authtok md5 > shadow nis > password required /lib/security/pam_deny.so > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > > So, as you can see, both login and IMAP both use system-auth > for "account". > > "access.conf" allows root to login from 192.168.0.2 and denies it from > everywhere else except LOCAL. It also allows "monitoring", > "rhobbs" and > "nbaker" to login from anywhere, but then denies everyone else from > everywhere except LOCAL. This seems to work fine. > > However, the user "monitoring" can not login via IMAP unless > the following > line is commented out of "/etc/pam.d/system-auth": > > account required /lib/security/pam_access.so > > Do you know why this is?? How can I fix it? Will any other > issues arrise > like this which we won't notice until they are tested? > > Thanks again, > Hobbs. > > -- > Richard Hobbs (Systems Administrator) > Toshiba Research Europe Ltd. - Speech Technology Group > Web: http://www.toshiba-europe.com/research/ > Email: richard.hobbs@xxxxxxxxxxxxxxxxx > Tel: +44 1223 376964 Mobile: +44 7811 803377 > > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of James Cooley > > Sent: 08 June 2005 20:26 > > To: General Red Hat Linux discussion list > > Subject: Re: Login restrictions in NIS environment > > > > try: > > > > +:root:192.168.0.2 > > -:root:ALL EXCEPT LOCAL > > > > Alternatively, since the rules are on a 'first match wins' basis you > > could set all of your allowed accesses first ( with + > signs). At the > > end of the file, you can put: > > > > -:ALL:ALL > > > > which will deny everyone else. > > > > --James Cooley > > > > > > > > Richard Hobbs wrote: > > > > >Hello, > > > > > >OK, I have now made the following changes: > > > > > > > > >1. Put the system back to how it was before I started all this. > > > > > > > > >2. Add the following line into "/etc/pam.d/system-auth": > > > account required /lib/security/pam_access.so > > > > > > > > >3. Add the following line into "/etc/security/access.conf": > > > -:ALL EXCEPT rhobbs nbaker root:ALL EXCEPT LOCAL > > > > > > > > >It now works perfectly! Everyone is banned from remotely > > logging into the > > >system except rhobbs, nbaker and root! > > > > > >I need to make one more change though... And it doesn't seem > > to work. I need > > >to ban root from logging in remotely except from certain IP > > addresses. > > > > > >I have tried the following, but it does not allow root to > > login even from > > >that IP address: > > > > > > -:ALL EXCEPT rhobbs nbaker root@xxxxxxxxxxx:ALL EXCEPT LOCAL > > > > > >I have also tried using the hostname, and > > hostname.domain.co.uk instead of > > >the IP address, but root still cannot log in from that host. > > > > > >Do you know how I can ban everyone from logging in remotely, > > except for a > > >few users, and how I can ban root from logging in from any > > machine except > > >particular ones? > > > > > >Thanks again, this is incredibly useful and massively > appreciated :-) > > > > > >Richard. > > > > > > > > > > > > > > > -- > > -- > > James Cooley > > Sr. Systems Analyst > > Information Technology > > Florida Tech > > 321-674-7999 > > jcooley@xxxxxxxxxx > > > > -- > > redhat-list mailing list > > unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > _____________________________________________________________________ > > This e-mail has been scanned for viruses by MCI's Internet > > Managed Scanning Services - powered by MessageLabs. For > > further information visit http://www.mci.com > > > > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > _____________________________________________________________________ > This e-mail has been scanned for viruses by MCI's Internet > Managed Scanning Services - powered by MessageLabs. For > further information visit http://www.mci.com > _____________________________________________________________________ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
