Two problem about "using pam to limit user login"

coolend · 05-18-2004, 05:56 AM

OS£½RHEL 3 AS

Problem 1: use pam.wheel to limit users who can su to root

¡°/etc/pam.d/su¡± file content as follows:

auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so use_uid group=admin
# only allow the members of ¡°admin¡± group to su to root

auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so

now we suppose there are 3 users , they are: alice , bob and courer

# usermod -G admin alice
after the above setting, only alice can su to root, but bob cannot.
the question is : bob unexpectedly cannot su to a common user such as courer too.

Some information in /var/log/message:

PAM-Wheel[3873]: Access denied for 'bob' to 'courer'

2. use pam.limits to limit the system resource

"/etc/pam.d/login" file content as follows:

auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_limits.so

"/etc/security/limits.conf" file content as follows:

alice - maxlogins 1
bob - maxlogins 2
courer - maxlogins 0

then, 2 alice can login at the same time, 3 bob can login the same time, courer cannot login

why I cannot only allow one person login at the same time ?
N=n+1 (n>0) ?

DavidPhillips · 06-03-2004, 10:24 PM

woops

I misread the question. I have no answer for this problem

XavierP · 06-04-2004, 03:00 AM

Moved: This thread is more suitable in Linux-General and has been moved accordingly to help your thread/question get the exposure it deserves.

Is it me, or does this look like a homework question? Alice and Bob indeed.

DavidPhillips · 06-04-2004, 01:11 PM

I don't know but it would seem your asking for trouble doing this. I have seen that normally a user is showing as logged in more than once from normal use. Your going to end up getting into a lockout situation.

david@firedragon:~> users
david david

If it's remote shell access only you may be ok. If they are using X they will have trouble to open an xterm.