I am using CentOS 5.7. I have an /etc/security/access.conf file which has the following:
+ : root : LOCAL + : @mynetgroup : ALL - : ALL : ALL
I thought this is supposed to restrict access to the system to only root and the accounts in the mynetgroup netgroup; however, anyone NIS account is still able to login. It appears that the access.conf is being ignored completely, so I'm thinking there's something I'm missing.
How can I restrict access to a system based on NIS netgroups?
Thanks!
--- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ Engineering Center 937-775-5157 michael.vanhorn@wright.edu http://www.engineering.wright.edu/~mvanhorn/
On Tue, Nov 08, 2011 at 03:41:22PM -0500, Mike VanHorn wrote:
How can I restrict access to a system based on NIS netgroups?
Change nsswitch.conf so that it reads passwd: compat passwd_compat: nis
And then in /etc/passwd +@netgroup1:::::: +@netgroup2::::::
That way only users in the given netgroup(s) have visible accounts on the machine.
----- Original Message ----- | On Tue, Nov 08, 2011 at 03:41:22PM -0500, Mike VanHorn wrote: | > How can I restrict access to a system based on NIS netgroups? | | Change nsswitch.conf so that it reads | passwd: compat | passwd_compat: nis | | And then in /etc/passwd | +@netgroup1:::::: | +@netgroup2:::::: | | That way only users in the given netgroup(s) have visible accounts on | the | machine. | | -- | | rgds | Stephen | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos
acccess.conf supposed to support this type of functionality thereby not needing to modify /etc/passwd / /etc/shadow!?!
On Tue, 8 Nov 2011, James A. Peltier wrote:
acccess.conf supposed to support this type of functionality thereby not needing to modify /etc/passwd / /etc/shadow!?!
You'll probably need to add a pam_access.so reference to the stock /etc/pam.d/password-auth. Make the first "account" line
account required pam_access.so
Also, I assume that your system can access your netgroups properly, i.e., getent can see them:
getent netgroup $groupname
You'll probably need to add a pam_access.so reference to the stock /etc/pam.d/password-auth. Make the first "account" line
account required pam_access.so
My CentOS system doesn't have a stock password-auth file. I tried creating one with that line in it, but that didn't work. Also, per some web pages I found, I tried putting that line into system-auth, but that didn't work either.
Also, I assume that your system can access your netgroups properly, i.e., getent can see them:
getent netgroup $groupname
Yes, that is working.
Fortunately, the solution provided on-list by Stephen Harris did work, but I'm puzzled as to why this isn't.
--- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ Engineering Center 937-775-5157 michael.vanhorn@wright.edu http://www.engineering.wright.edu/~mvanhorn/
On 11/09/2011 05:53 AM, Mike VanHorn wrote:
You'll probably need to add a pam_access.so reference to the stock /etc/pam.d/password-auth. Make the first "account" line
account required pam_access.so
My CentOS system doesn't have a stock password-auth file. I tried creating one with that line in it, but that didn't work. Also, per some web pages I found, I tried putting that line into system-auth, but that didn't work either.
i use this line in my /etc/pam.d/sshd file and it works correctly. i don't have other services, so i haven't put it in system-auth (or password-auth which is centos 6), but it does seem like it should work there as well. keep in mind that other things may interfere, there is a rule in system-auth that allows anyone with uid < 500 in, so that could be clouding things for you.
On Nov 9, 2011, at 8:53 AM, Mike VanHorn michael.vanhorn@wright.edu wrote:
You'll probably need to add a pam_access.so reference to the stock /etc/pam.d/password-auth. Make the first "account" line
account required pam_access.so
My CentOS system doesn't have a stock password-auth file. I tried creating one with that line in it, but that didn't work. Also, per some web pages I found, I tried putting that line into system-auth, but that didn't work either.
Also, I assume that your system can access your netgroups properly, i.e., getent can see them:
getent netgroup $groupname
Yes, that is working.
Fortunately, the solution provided on-list by Stephen Harris did work, but I'm puzzled as to why this isn't.
Check out 'authconfig' man page.
It will setup your PAM and nsswitch files (and krb5.conf etc) appropriately. You just list the authentication mechanisms and their basic settings and it does the rest for you.
-Ross
----- Original Message ----- | On Tue, 8 Nov 2011, James A. Peltier wrote: | | > acccess.conf supposed to support this type of functionality thereby | > not needing to modify /etc/passwd / /etc/shadow!?! | | You'll probably need to add a pam_access.so reference to the stock | /etc/pam.d/password-auth. Make the first "account" line | | account required pam_access.so | | Also, I assume that your system can access your netgroups properly, | i.e., getent can see them: | | getent netgroup $groupname | | -- | Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/ | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos
authconfig --enablepamaccess --updateall does this for you.
On 11/8/11 4:31 PM, "Stephen Harris" lists@spuddy.org wrote:
On Tue, Nov 08, 2011 at 03:41:22PM -0500, Mike VanHorn wrote: How can I restrict access to a system based on NIS netgroups?
Change nsswitch.conf so that it reads passwd: compat passwd_compat: nis
And then in /etc/passwd +@netgroup1:::::: +@netgroup2::::::
That way only users in the given netgroup(s) have visible accounts on the machine.
This works. Thanks!
--- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ Engineering Center 937-775-5157 michael.vanhorn@wright.edu http://www.engineering.wright.edu/~mvanhorn/
-
James A. Peltier -
Joe Pruett -
Mike VanHorn -
Paul Heinlein -
Ross Walker -
Stephen Harris