Pluggable Authentication Modules

Hebenstreit, Michael | 3 May 2010 20:46

Problems with pam_nologin.so

I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a
solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even
when /etc/nologin is present. The orginal Redhat 5 config read like:

  auth       include      system-auth
  account    required     pam_nologin.so
  account    include      system-auth
  ....

with system-auth containing 

  ...
  account     required      pam_unix.so
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     required      pam_permit.so
  ...

My modification would be:

  #%PAM-1.0
  auth       include      system-auth
  account    include      system-auth
  account    sufficient   pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
  account    required     pam_nologin.so
  ....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help 
Michael

(Continue reading)

headers

Dimitris Glynos | 5 May 2010 12:47

pam_group: group-based access to groups!

Hello all,

back in December I had submitted a patch that allows
administrators to dynamically add users of a certain group
to other groups.

For example, users of the "Domain Users" group could be made
members of the "plugdev" group upon login.

To do this I've made some changes to the pam_group module.

Patch and documentation can be found here:
https://www.redhat.com/archives/pam-list/2009-December/msg00000.html

I just checked today and the patch still applies cleanly to the CVS 
version of the code (with an exception of course, to the Changelog
entry).

It would be great to have this functionality in PAM-Linux,
since it makes role-based access control much much easier.

So, have a look and let me know what you think!

Cheers,
--
Dimitris Glynos

headers

Viswanath Kasi | 6 May 2010 15:16

Re: Problems with pam_nologin.so

Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Viswanath Kasi | 6 May 2010 15:52

Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

Regards,

Viswanath

On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg <at> gmail.com> wrote:

Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Hebenstreit, Michael | 12 May 2010 18:58

RE: Problems with pam_nologin.so

was drowned in work - thanks for the answer, but what do you think about:

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>

account required pam_nologin.so
account include system-auth

isn't that even less intrusive? I skip the nologin check for everyone in "group_name"

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

Regards,

Viswanath

On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg <at> gmail.com> wrote:

Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Hebenstreit, Michael | 12 May 2010 20:52

RE: Problems with pam_nologin.so

*confused*

From documentation I got:

default, implies 'all valueN's not mentioned explicitly. Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack';

and the example

Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules.

type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type required othermodule.so arguments...

as I understand - the default action is to skip the next line; the default action is executed in the case of failure.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>

account required pam_nologin.so
account include system-auth

Standard users are not in <group_name>. The test succeeds, and so the next line is executed - requiring "no_login". For administrators the tests fails, as they are members of the group <group_name>, default kicks in and the no_login line is jumped over

my tests indicate it works, so I'm a little bit confused now

could you please clarify?

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Wednesday, May 12, 2010 11:14 AM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.

Regards,
Viswanath

On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

was drowned in work - thanks for the answer, but what do you think about:

    auth       include      system-auth

    account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

    account    required     pam_nologin.so
    account    include      system-auth

isn't that even less intrusive? I skip the nologin check for everyone in "group_name"

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

Regards,

Viswanath

On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg <at> gmail.com> wrote:
Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Viswanath Kasi | 12 May 2010 20:14

Re: Problems with pam_nologin.so

This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.

Regards,
Viswanath

On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

was drowned in work - thanks for the answer, but what do you think about:

    auth       include      system-auth

    account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>

    account    required     pam_nologin.so
    account    include      system-auth

isn't that even less intrusive? I skip the nologin check for everyone in "group_name"

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

Regards,

Viswanath

On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg <at> gmail.com> wrote:
Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Viswanath Kasi | 13 May 2010 00:13

Re: Problems with pam_nologin.so

Yes you are right Micheal.It was my bad.My initial configuration uses permit.so which is a promiscuous module,where as your configuration doesn't, making this even less intrusive, as you stated.It works perfectly.

Regards,
Viswanath

On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

*confused*

From documentation I got:

default, implies 'all valueN's not mentioned explicitly. Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack';

and the example

Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type required othermodule.so arguments...

as I understand - the default action is to skip the next line; the default action is executed in the case of failure.

    auth       include      system-auth

    account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>

    account    required     pam_nologin.so
    account    include      system-auth

Standard users are not in <group_name>. The test succeeds, and so the next line is executed - requiring "no_login". For administrators the tests fails, as they are members of the group <group_name>, default kicks in and the no_login line is jumped over

my tests indicate it works, so I'm a little bit confused now

could you please clarify?

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]

Sent: Wednesday, May 12, 2010 11:14 AM

To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.

Regards,
Viswanath

On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

was drowned in work - thanks for the answer, but what do you think about:

    auth       include      system-auth

    account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

    account    required     pam_nologin.so
    account    include      system-auth

isn't that even less intrusive? I skip the nologin check for everyone in "group_name"

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

Regards,

Viswanath

On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg <at> gmail.com> wrote:
Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Hebenstreit, Michael | 13 May 2010 00:16

RE: Problems with pam_nologin.so

thanks for your advise, greatly appreciated

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Wednesday, May 12, 2010 3:13 PM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

Yes you are right Micheal.It was my bad.My initial configuration uses permit.so which is a promiscuous module,where as your configuration doesn't, making this even less intrusive, as you stated.It works perfectly.

Regards,
Viswanath

On Thu, May 13, 2010 at 12:22 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

*confused*

From documentation I got:

default, implies 'all valueN's not mentioned explicitly. Note, the full list of PAM errors is available in /usr/include/security/_pam_types.h. The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack';

and the example

Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type required othermodule.so arguments...

as I understand - the default action is to skip the next line; the default action is executed in the case of failure.

    auth       include      system-auth

    account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup <group_name>

    account    required     pam_nologin.so
    account    include      system-auth

Standard users are not in <group_name>. The test succeeds, and so the next line is executed - requiring "no_login". For administrators the tests fails, as they are members of the group <group_name>, default kicks in and the no_login line is jumped over

my tests indicate it works, so I'm a little bit confused now

could you please clarify?

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]

Sent: Wednesday, May 12, 2010 11:14 AM

To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

This would be quite opposite to our basic requirement i.e "to allow certain users (eg the administrators) access to a system even when /etc/nologin is present".This modification would provide the session to any authenticated user who is not in the admin group.

Regards,
Viswanath

On Wed, May 12, 2010 at 10:28 PM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:

was drowned in work - thanks for the answer, but what do you think about:

    auth       include      system-auth

    account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

    account    required     pam_nologin.so
    account    include      system-auth

isn't that even less intrusive? I skip the nologin check for everyone in "group_name"

thanks

Michael

From: Viswanath Kasi [mailto:viswanath.kvg <at> gmail.com]
Sent: Thursday, May 06, 2010 6:52 AM
To: Hebenstreit, Michael
Cc: pam-list <at> redhat.com; rohan.lahiri <at> gmail.com
Subject: Re: Problems with pam_nologin.so

Micheal,

You can also try this for multiple users based on a group

account [default=1 success=ignore] pam_succeed_if.so quiet user ingroup <group_name>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

Regards,

Viswanath

On Thu, May 6, 2010 at 6:46 PM, Viswanath Kasi <viswanath.kvg <at> gmail.com> wrote:
Hi! Michael

I made the following changes which worked for me on sshd service with out changing system auth.

auth include system-auth

account [default=1 success=ignore] pam_succeed_if.so quiet user = <user>

account sufficient pam_permit.so

account required pam_nologin.so

account include system-auth

You can try this..!

Regards,

Viswanath

On Tue, May 4, 2010 at 12:16 AM, Hebenstreit, Michael <michael.hebenstreit <at> intel.com> wrote:
I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:

auth include system-auth
account required pam_nologin.so
account include system-auth
....

with system-auth containing

...
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
...

My modification would be:

#%PAM-1.0
auth include system-auth
account include system-auth
account sufficient pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
account required pam_nologin.so
....

Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?

thanks for any help
Michael

------------------------------------------------------------------------
Michael Hebenstreit Senior Cluster Architect
Intel Corporation Software and Services Group/DRD
2800 N Center Dr, DP3-307 Tel.: +1 253 371 3144
WA 98327, DuPont
UNITED STATES E-mail: michael.hebenstreit <at> intel.com

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

headers

Ganesh Bawaskar | 13 May 2010 08:49

help help help

hi all,

i have problem related to password change through pam module api,on MAC OS 10.5

description:

i want to changing password of mac os 10.5 through programe which system pam module should i use in config file?

i was successful in doing so on 10.6 because pam_opendirectory.so module present on it which provide password change facility but in 10.5 no such module present. i am unable to detect any other system pam module which can change password.

if anyone know tell me as early as possible.

Ganesh Bawaskar

(Software Engineer)

persistent system limited.

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

2	April 2013
11	March 2013
6	January 2013
6	December 2012
121	November 2012
7	September 2012
7	August 2012
1	July 2012
1	June 2012
2	April 2012
9	March 2012
8	January 2012
15	December 2011
15	November 2011
21	October 2011
7	September 2011
7	August 2011
21	July 2011
14	June 2011
7	May 2011
1	April 2011
6	March 2011
4	February 2011
10	January 2011
21	December 2010
3	November 2010
7	October 2010
1	August 2010
9	July 2010
18	June 2010
11	May 2010
1	April 2010
7	March 2010
14	February 2010
7	January 2010
14	December 2009
3	November 2009
32	October 2009
7	September 2009
36	August 2009
33	July 2009
14	June 2009
5	May 2009
23	April 2009
30	March 2009
23	February 2009
14	January 2009
6	December 2008
21	November 2008
44	October 2008
23	September 2008
4	August 2008
33	July 2008
48	June 2008
24	May 2008
43	April 2008
27	March 2008
18	February 2008
21	January 2008
35	December 2007
38	November 2007
35	October 2007
66	September 2007
39	August 2007
37	July 2007
24	June 2007
15	May 2007
44	April 2007
62	March 2007
20	February 2007
24	January 2007
21	December 2006
19	November 2006
19	October 2006
27	September 2006
14	August 2006
30	July 2006
14	June 2006
32	May 2006
29	April 2006
20	March 2006
30	February 2006
59	January 2006
24	December 2005
29	November 2005
79	October 2005
35	September 2005
12	August 2005
24	July 2005
27	June 2005
24	May 2005
29	April 2005
29	March 2005
44	February 2005
82	January 2005
25	December 2004
64	November 2004
53	October 2004
74	September 2004
45	August 2004
31	July 2004
83	June 2004
66	May 2004
28	April 2004
41	March 2004
70	February 2004
22	January 2004
54	December 2003
29	November 2003
47	October 2003
89	September 2003
44	August 2003
56	July 2003
34	June 2003
85	May 2003
93	April 2003
65	March 2003
84	February 2003
56	January 2003
77	December 2002
51	November 2002
30	October 2002
59	September 2002
76	August 2002
71	July 2002
80	June 2002
112	May 2002
80	April 2002
31	March 2002
1	February 2002

Mon	Tue	Wed	Thu	Fri	Sat	Sun

					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31