login.access, login and su.

Javier A. Del Pino Coronel tuaregmex at yahoo.com.mx
Mon Oct 15 17:24:54 PDT 2007

Good afternoon,

I need to restric the access to some accounts, we are
using FreeBSD
4.10, this is the configuration for "login" in

login   auth    sufficient      pam_skey.so
login   auth    sufficient      pam_opie.so           
#login  auth    requisite       pam_opieaccess.so
login   auth    requisite      
#login  auth    sufficient      pam_kerberosIV.so     
#login  auth    sufficient      pam_krb5.so           
login   auth    required        pam_unix.so           
login   account required        pam_unix.so
login   password required       pam_permit.so
login   session required        pam_permit.so

And this is the content of /etc/login.access:

-:ALL EXCEPT user user1 : ALL

If we do "su - user3" in FreeBSD 4.10 the result is
that we become
"user3" succesfully, and no restricction message

% su - user3

With FreeBSD 6.1/6.2, we are able to restrict the
access if the
account isn't appear in /etc/login.access, for

-:ALL EXCEPT user user1 user2 : ALL

And this is the content of /etc/pamd./login:

# PAM configuration for the "login" service

# auth
auth            required        pam_nologin.so        
auth            sufficient      pam_self.so           
auth            include         system

# account
account         requisite       pam_securetty.so
account         include         system

# session
session         include         system

# password
password        include         system

If we are using the account "user" and whant to change
to "user3"
using "su -" this never happen:

% su - user3
pam_login_access: pam_sm_acct_mgmt: user3 is not
allowed to log in on /dev/ttyp0
su: Sorry

Which is exactly what we need, but for FreeBSD 4.10.

There are differences between 4.10 and 6.1/6.2 for the
of PAM and all it's modules, but the configuration for
login.acces is
the same.

We read the documentation at the FreeBSD site about
login.access and
there is no difference for the sintaxis of this file.

We also had read the man for

The file "login.conf" is the same for 4.10 and
6.1/6.2, we didn't
modified it's content.

Is there another configuration file we are missing
that should be
modified to restrict the "user" become "user3" using
"su -" in FreeBSD

P.D. I sent this message (twice) from gmail.com, but
until now, it's doesn't appear in the historic of the
list or in my gmail inbox.

¡Capacidad ilimitada de almacenamiento en tu correo!
No te preocupes más por el espacio de tu cuenta con Correo Yahoo!:                      

More information about the freebsd-questions mailing list