From owner-freebsd-questions@FreeBSD.ORG Tue Apr 5 19:44:50 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91832106564A for ; Tue, 5 Apr 2011 19:44:50 +0000 (UTC) (envelope-from dyioulos@firstbhph.com) Received: from mail2.firstbhph.com (mail2.firstbhph.com [65.105.102.163]) by mx1.freebsd.org (Postfix) with ESMTP id 582758FC1C for ; Tue, 5 Apr 2011 19:44:50 +0000 (UTC) Received: from mail2.firstbhph.com (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 6568B33181AF_D9B6C2DB for ; Tue, 5 Apr 2011 19:23:25 +0000 (GMT) X-Sophos-ESA-SMTPD-Auth-On: authentication enabled Received: from mail1.firstbhph.com (mail1.firstbhph.com [192.168.1.2]) by mail2.firstbhph.com (Sophos Email Appliance) with ESMTP id 1C98B33181A7_D9B6C2DF for ; Tue, 5 Apr 2011 19:23:25 +0000 (GMT) Received: from mepis1.headquarters.firstbhph.com (mepis1.headquarters.firstbhph.com [192.168.100.52]) by mail1.firstbhph.com (8.14.4/8.14.4) with ESMTP id p35JN08S006224 for ; Tue, 5 Apr 2011 15:23:05 -0400 From: Dimitri Yioulos Organization: First 1 Financial Corporation To: freebsd-questions@freebsd.org Date: Tue, 5 Apr 2011 15:23:00 -0400 User-Agent: KMail/1.9.9 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <201104051523.02567.dyioulos@firstbhph.com> X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to: archive@firstbhph.com X-First1-MailScanner-Information: Please contact First 1 Financial Corporation for more information X-First1-MailScanner-ID: p35JN08S006224 X-First1-MailScanner: Found to be clean X-First1-MailScanner-MCPCheck: X-MailScanner-From: dyioulos@firstbhph.com X-MailScanner-To: archive@firstbhph.com, freebsd-questions@freebsd.org X-First1-MailScanner-Watermark: 1302636187.56173@PnTDbejb7GlG+9M62RL/pQ Subject: Re: Help with pam_abl package X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 19:44:50 -0000 On Tuesday 05 April 2011 12:22:54 pm Phusion wrote: > I'm having a problem with the pam_abl package. > I've already emailed the programs author, but > didn't get a reply back. I'm having trouble > setting up a rule to exclude to users. One user > is the root user while the other is a local > account. I've tried multiple things, but they > don't seem to work. The rules seem to only not > include the root user. > > This does exclude the root user, but not the > localacct user. > > #debug > user_db=/var/db/pam_abl/users.db > user_rule=!root|!localacct:5/60d > > This next one doesn't seem to work either. > > #debug > user_db=/var/db/pam_abl/users.db > user_rule=!root:5/60d !localacct:5/60d > > Please advise. > > Phusion > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freeb >sd-questions To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" You might want to try the following (from the pam_abl documentation): Multiple rules can be provided separated by spaces like this *:10/1h root:5/1h,10/1d in which case all rules that match a particular user and service will be checked. The user or host will be blocked if any of the rule triggers matches. The sense of the user matching can be inverted by placing a '!' in front of the rule so that !root:20/1d is a rule which would match for all users apart from root. It is important to treat root as a special case in the user_rule otherwise excessive attempts to authenticate as root will result in the root account being locked out even for valid holders of root credentials. HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.