Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi experts,
I am new to Linux PAM, after I set to use some modules, say, pam_access.so, I want to know if there is a way for the administrator to check if any invalid attempt was happened and blocked by that module?? Thanks in advance for any comment!!!
PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.
PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.
Thank you for reply, I found the log for violation generated by pam_access, but cannot find that generated by pam_time.so(just an entry with 'Permission Denied',without the word pam_time), would you please give me some idea???
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Here is the test done @ console login:
account:testtime --> for testing pam_time
account:testaccess --> for testing pam_access
---------------------------------------
The /etc/pam.d/login:
[root@localhost pam.d]# more /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_access.so
account required pam_time.so
account required pam_nologin.so
account include system-auth
account required pam_warn.so
account required pam_time.so
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session optional pam_ck_connector.so
session required /lib/security/pam_limits.so
session required pam_limits.so
[root@localhost pam.d]#
---------------------------------------
The system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
---------------------------------------
The /etc/security/time.conf:
*;*;testtime;!Al0000-2400
---------------------------------------
The /etc/security/access.conf:
- :testaccess : ALL
---------------------------------------
The /var/log/secure
[root@localhost pam.d]# more /var/log/secure
Jun 22 09:05:07 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us
er=[testtime] ruser=[<unknown>] rhost=[<unknown>]
Jun 22 09:05:07 localhost login: Permission denied
Jun 22 09:05:12 localhost login: pam_access(login:account): access denied for user `testaccess' from `tty1'
Jun 22 09:05:12 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us
er=[testaccess] ruser=[<unknown>] rhost=[<unknown>]
Jun 22 09:05:12 localhost login: Permission denied
[root@localhost pam.d]#
---------------------------------------
What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize
the user is blocked by 'pam_time' module in real situation. Is there any way to solve it??? Thanks. (The test is done with Fedora 7, while my production environment is RHEL 5)
What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize the user is blocked by 'pam_time' module in real situation.
No it won't be. Your log shows user "testtime" (any exposed account names with "test" or "blah" being bad names anyway) is denied access by the first module in the PAM stack (see /etc/security/access.conf) so no subsequent modules are checked. BTW, you also have two "account required pam_time.so" lines in your /etc/pam.d/login.
No it won't be. Your log shows user "testtime" (any exposed account names with "test" or "blah" being bad names anyway) is denied access by the first module in the PAM stack (see /etc/security/access.conf) so no subsequent modules are checked. BTW, you also have two "account required pam_time.so" lines in your /etc/pam.d/login.
Sorry master, do you mean any account with the word 'test' will be blocked by the pam_access module?? but if I use another account, say 'john', I only can find 'permission denied' at the /var/log/secure file, nothing more. Why is my case?? or can you give me a sample setting to solve this?? thanks.
I'm not a "master" of anything so please don't call me that.
Quote:
Originally Posted by ono1331
do you mean any account with the word 'test' will be blocked by the pam_access module??
No, I mean it should be common sense to not have any account name with the string "test" in it.
Quote:
Originally Posted by ono1331
but if I use another account, say 'john', I only can find 'permission denied' at the /var/log/secure file, nothing more. Why is my case??
Questions:
- In /etc/security/access.conf you have a line "- :testaccess : ALL". What does that line achieve?
- What is the (expanded) PAM module order of your /etc/pam.d/login?
- So which module is used first? pam_access.so or pam_time.so?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.