pam_access

trINItr0n_ · Posted: Wed Jan 19, 2005 5:19 pm Post subject: pam_access

Hi,

i think i just did something terrible:

I have this remote box and was juist tightening up security with this guide: http://www.puschitz.com/SecuringLinux.shtml
so for not allowing anyone other than the users group to login i added these to the default gentoo config:

In /etc/security/access.conf:
-:ALL EXCEPT users :ALL

and /etc/pam.d/syst-auth:
account required /lib/security/pam_access.so

Now i still can login but when su-ing i get:
su: Permission denied
Sorry.

Did not change any other files like /etc/pam.d/su or anything ..

What did i do wrong ?
and will a local-console user be able to su ? or in single user mode ?
any other ways then to go back, boot up with boot-cd and chroot everthing are welcome

adaptr · Posted: Wed Jan 19, 2005 5:28 pm Post subject:

Boot up in single user mode:

trINItr0n_ · Posted: Fri Jan 21, 2005 10:52 am Post subject:

thanks .. any idea what i did wrong though ?

or what is the gentoo-way to let only one group of users login to the system ?

adaptr · Posted: Fri Jan 21, 2005 11:01 am Post subject:

Erm.. root is not a member of the users group ?

You specify an access method of ALL - meaning any way a non-users-member tries to get in is denied, including su.

Add this line (straight from the example access.conf!):

trINItr0n_ · Posted: Fri Jan 21, 2005 11:42 am Post subject:

it works now

- only users from group users can login
- only users from wheel can su

trINItr0n_ · Posted: Fri Jan 21, 2005 1:24 pm Post subject:

but root can login directly with console (local) now .. any way to solve this proprerly with pam ? ( i know /etc/securetty) could also do this)

adaptr · Posted: Fri Jan 21, 2005 6:28 pm Post subject:

Again - read the provided examples in access.conf.