PLUGGABLE AUTHENTICATION MODULE (PAM)
Tuesday, June 23, 2009
PLUGGABLE AUTHENTICATION MODULE (PAM)
If you want to disallow console logins to all but root
Open the /etc/security/access.conf file in any editor
Copy the follwing line and paste it at the next line -
# -:ALL EXCEPT wheel shutdown sync:LOCAL
Modify the line as follows -
-:ALL EXCEPT root sync:LOCAL
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_access.so
The above task will disallow console login locally. The user will be able to login to your server from remote system using telnet or ssh.
To disallow local as well as virtual terminal login
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_listfile.so item=user sense=allow
onerr=fail file=/etc/security/validusers
Do not be confused. I am repeating, the above is a single line input. It looks different because it does not fit into my document.
Now, create the /etc/security/validusers file and add users’ name there one in a single line like –
root
user1
The above configuration will allow root and user only to log into your system’s terminal. If you replace sense=allow with sense=deny in the directive in
/etc/pam.d/system-auth file, it will disallow root and .
If you want to disallow a user from login from any terminal except ttyx
Open the /etc/security/access.conf file in any editor
Copy the follwing line and paste it at the next line -
# -:ALL EXCEPT wheel shutdown sync:LOCAL
Modify the line as follows -
-:red:ALL EXCEPT tty3
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_access.so
Login Time Restriction
Open the /etc/security/time.conf in any editor
Add the following lines there -
login;*;red;MoTuWeThFr0000-2400
login;*;green;Mo1000-2400|TuWeThFr0000-2400|Sa0000-1400
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_time.so
Here, user red will be allowed to login from Monday to Friday. And
user green will be allowed to login to the system from Monday 10 hrs to Saturday 14 hrs.
We refer day by using the first two characters of it. For example to refer Sunday, we will be using Su only.
We can use ! for reverse action. Check the following line–
login;*;red;!MoTuWeThFr0000-2400
Here, user red will be disallowed to login from Monday to Friday.
If you want to disallow console logins to all but root
Open the /etc/security/access.conf file in any editor
Copy the follwing line and paste it at the next line -
# -:ALL EXCEPT wheel shutdown sync:LOCAL
Modify the line as follows -
-:ALL EXCEPT root sync:LOCAL
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_access.so
The above task will disallow console login locally. The user will be able to login to your server from remote system using telnet or ssh.
To disallow local as well as virtual terminal login
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_listfile.so item=user sense=allow
onerr=fail file=/etc/security/validusers
Do not be confused. I am repeating, the above is a single line input. It looks different because it does not fit into my document.
Now, create the /etc/security/validusers file and add users’ name there one in a single line like –
root
user1
The above configuration will allow root and user only to log into your system’s terminal. If you replace sense=allow with sense=deny in the directive in
/etc/pam.d/system-auth file, it will disallow root and .
If you want to disallow a user from login from any terminal except ttyx
Open the /etc/security/access.conf file in any editor
Copy the follwing line and paste it at the next line -
# -:ALL EXCEPT wheel shutdown sync:LOCAL
Modify the line as follows -
-:red:ALL EXCEPT tty3
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_access.so
Login Time Restriction
Open the /etc/security/time.conf in any editor
Add the following lines there -
login;*;red;MoTuWeThFr0000-2400
login;*;green;Mo1000-2400|TuWeThFr0000-2400|Sa0000-1400
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_time.so
Here, user red will be allowed to login from Monday to Friday. And
user green will be allowed to login to the system from Monday 10 hrs to Saturday 14 hrs.
We refer day by using the first two characters of it. For example to refer Sunday, we will be using Su only.
We can use ! for reverse action. Check the following line–
login;*;red;!MoTuWeThFr0000-2400
Here, user red will be disallowed to login from Monday to Friday.
Labels: command, configuration, guide to linux, linux administrator guide, linux security, PLUGGABLE AUTHENTICATION MODULE, pocket linux guide, red hat linux guide
posted by Gautam at 3:57 AM, | 
Post a Comment