[CentOS] CentOS6 and pam_access

Fri Oct 19 14:12:21 UTC 2012
lhecking at users.sourceforge.net <lhecking at users.sourceforge.net>

>  Under CentOS5, I used this configuration to restrict access to root only:
> # cat /etc/security/access.conf
> + : root : ALL
> - : ALL : ALL
> # cat /etc/pam.d/system-auth-ac
> ...
> account     required      pam_access.so
> account     required      pam_unix.so
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
> ...
> # 
 Figured it out by reverse-engineering the changes made by system-config-authentication.

 In addition to system-auth-ac, as a minimum, password-auth-ac needs the
 same update. To make it complete, fingerprint-auth-ac and smartcard-auth-ac
 need the additional line, too (not that they matter on the server hw here).

 The state of PAM access is also recorded in /etc/sysconfig/authconfig
 (USEPAMACCESS=yes/no), but this seems to serve as a reminder for
 system-config-authentication more than actual system services configuration.