/etc/passwd entries needed in /etc/security/access.conf?

bbtg · 10-09-2007, 01:49 PM

We are running RHEL4 and using LDAP. When "-:ALL:ALL" is used as the last line in /etc/security/access.conf then I need to add local user entries found in /etc/passwd to /etc/security/access.conf or else the local user cannot login.

/var/log/messages shows: pam_access[30283]: access denied for user

Various tweaks to /etc/pam.d/login and /etc/pam.d/sshd have not produced any results. I am reluctant to edit /etc/pam.d/system-auth because "authconfig" will over-write it.

The info at the RedHat Knowledge Base FQA;
http://kbase.redhat.com/faq/FAQ_85_9358.shtm
did not seem to solve the problem.

Any insight is appreciated. Thanks.

stickman · 10-11-2007, 09:30 PM

I've got a few RHEL4 systems authenticating via LDAP, and I modified system-auth. One unfortunate side affect of using the RHEL tools is that they only understand basic configurations. I found it easier just to make the changes that I needed rather than rely on the tools.

What do your login and sshd files look like?

bbtg · 10-15-2007, 07:54 AM

Quote:

Originally Posted by stickman

I've got a few RHEL4 systems authenticating via LDAP, and I modified system-auth. One unfortunate side affect of using the RHEL tools is that they only understand basic configurations. I found it easier just to make the changes that I needed rather than rely on the tools.

What do your login and sshd files look like?

/etc/pam.d/login:

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
account required pam_access.so
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open

/etc/pam.d/sshd:

#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
account required pam_access.so
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so

We have also opened a ticket with RedHat Support but nothing has come of it yet. Thanks for looking.

bbtg · 10-16-2007, 07:47 AM

Quote:

Originally Posted by bbtg

/etc/pam.d/login:

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
account required pam_access.so
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open

/etc/pam.d/sshd:

#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
account required pam_access.so
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so

We have also opened a ticket with RedHat Support but nothing has come of it yet. Thanks for looking.

To All interested parties:

HP Support's reply in part reads "limiting access to some subset of all available local and remote users isn't something that PAM can do as-is. Since both authentication methods are valid, the only way to do this is by username as you're currently doing with access.conf.

So there is no solution to the original post.