pam_listfile.so not blocking root login using telnet

sheelavantar · 02-21-2012, 08:18 PM

Hello All,
I am trying to block telnet login for "root".

I am using pam_listfile.so module to achieve this.
but pam_listfile.so module is failing to block the root login.

I have added the following line in /etc/pam.d/login file

PHP Code:



# Block users listed in "/etc/loginusers" 
auth       required   /lib64/security/pam_listfile.so item=user sense=deny file=/etc/loginusers onerr=succeed

and I have added "root" entry in the /etc/loginusers file.

When I checked the log, I found the below lines.

PHP Code:



Feb 22 02:06:46 UAMA-T login: pam_unix(remote:account): account root has password changed in future 
Feb 22 02:06:46 UAMA-T login: pam_unix(remote:session): session opened for user root by (uid=0) 
Feb 22 02:06:46 UAMA-T login: ROOT LOGIN ON pts/3 FROM 10.254.208.86

please let me know if anybody know about this.

Warm Regards,
Vijay

jschiwal · 02-21-2012, 09:20 PM

The telnet server isn't built with the PAM libraries. It may not even be built with the libwrap library. Try using xinetd to launch and control it or use hosts.deny. Be sure to test your solution. It may not work. Please consider using SSH instead.

sheelavantar · 02-21-2012, 11:39 PM

Thanx for the reply. I'll check the telnet build.

jschiwal · 02-22-2012, 02:19 AM

You can simply use "ldd /sbin/in.telnetd" to check for the external libraries loaded. I temporarily installed the telnet-server package to check for libpam (and quickly removed it like a cancer) but didn't remember if libwrap was used.