Date: Mon, 15 Oct 2007 18:58:12 -0500 (CDT) From: "Javier A. Del Pino Coronel" <tuaregmex@yahoo.com.mx> To: freebsd-questions@freebsd.org Subject: login.access, login and su. Message-ID: <854475.54819.qm@web43144.mail.sp1.yahoo.com>
next in thread | raw e-mail | index | archive | help
Good afternoon,
I need to restric the access to some accounts, we are
using FreeBSD
4.10, this is the configuration for "login" in
/etc/pam.conf
login auth sufficient pam_skey.so
login auth sufficient pam_opie.so
no_fake_prompts
#login auth requisite pam_opieaccess.so
login auth requisite
pam_cleartext_pass_ok.so
#login auth sufficient pam_kerberosIV.so
try_first_pass
#login auth sufficient pam_krb5.so
try_first_pass
login auth required pam_unix.so
try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required pam_permit.so
And this is the content of /etc/login.access:
-:ALL EXCEPT user user1 : ALL
If we do "su - user3" in FreeBSD 4.10 the result is
that we become
"user3" succesfully, and no restricction message
appears.
% su - user3
%whoami
%user3
With FreeBSD 6.1/6.2, we are able to restrict the
access if the
account isn't appear in /etc/login.access, for
example:
-:ALL EXCEPT user user1 user2 : ALL
And this is the content of /etc/pamd./login:
# PAM configuration for the "login" service
#
# auth
auth required pam_nologin.so
no_warn
auth sufficient pam_self.so
no_warn
auth include system
# account
account requisite pam_securetty.so
account include system
# session
session include system
# password
password include system
If we are using the account "user" and whant to change
to "user3"
using "su -" this never happen:
% su - user3
pam_login_access: pam_sm_acct_mgmt: user3 is not
allowed to log in on /dev/ttyp0
su: Sorry
Which is exactly what we need, but for FreeBSD 4.10.
There are differences between 4.10 and 6.1/6.2 for the
configuration
of PAM and all it's modules, but the configuration for
login.acces is
the same.
We read the documentation at the FreeBSD site about
login.access and
there is no difference for the sintaxis of this file.
We also had read the man for
login/pam/login.conf/login.access.
The file "login.conf" is the same for 4.10 and
6.1/6.2, we didn't
modified it's content.
Is there another configuration file we are missing
that should be
modified to restrict the "user" become "user3" using
"su -" in FreeBSD
4.10?
P.D. I sent this message (twice) from gmail.com, but
until now, it's doesn't appear in the historic of the
list or in my gmail inbox.
____________________________________________________________________________________
ˇCapacidad ilimitada de almacenamiento en tu correo!
No te preocupes más por el espacio de tu cuenta con Correo Yahoo!:
http://correo.yahoo.com.mx/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?854475.54819.qm>