login.access, login and su.

Tuareg tuaregmex at gmail.com
Tue Oct 16 07:51:42 PDT 2007 

Good afternoon,

 I need to restric the access to some accounts, we are
 using FreeBSD
 4.10, this is the configuration for "login" in
 /etc/pam.conf


 login   auth    sufficient      pam_skey.so
 login   auth    sufficient      pam_opie.so
          no_fake_prompts
 #login  auth    requisite       pam_opieaccess.so
 login   auth    requisite
 pam_cleartext_pass_ok.so
 #login  auth    sufficient      pam_kerberosIV.so
          try_first_pass
 #login  auth    sufficient      pam_krb5.so
          try_first_pass
 login   auth    required        pam_unix.so
          try_first_pass
 login   account required        pam_unix.so
 login   password required       pam_permit.so
 login   session required        pam_permit.so

 And this is the content of /etc/login.access:

 -:ALL EXCEPT user user1 : ALL


 If we do "su - user3" in FreeBSD 4.10 the result is
 that we become
 "user3" succesfully, and no restricction message
 appears.

 % su - user3
 %whoami
 %user3


 With FreeBSD 6.1/6.2, we are able to restrict the
 access if the
 account isn't appear in /etc/login.access, for
 example:

 -:ALL EXCEPT user user1 user2 : ALL

 And this is the content of /etc/pamd./login:

 # PAM configuration for the "login" service
 #

 # auth
 auth            required        pam_nologin.so
  no_warn
 auth            sufficient      pam_self.so
  no_warn
 auth            include         system

 # account
 account         requisite       pam_securetty.so
 account         include         system

 # session
 session         include         system

 # password
 password        include         system


 If we are using the account "user" and whant to change
 to "user3"
 using "su -" this never happen:

 % su - user3
 pam_login_access: pam_sm_acct_mgmt: user3 is not
 allowed to log in on /dev/ttyp0
 su: Sorry


 Which is exactly what we need, but for FreeBSD 4.10.


 There are differences between 4.10 and 6.1/6.2 for the
 configuration
 of PAM and all it's modules, but the configuration for
 login.acces is
 the same.

 We read the documentation at the FreeBSD site about
 login.access and
 there is no difference for the sintaxis of this file.

 We also had read the man for
 login/pam/login.conf/login.access.

 The file "login.conf" is the same for 4.10 and
 6.1/6.2, we didn't
 modified it's content.

 Is there another configuration file we are missing
 that should be
 modified to restrict the "user" become "user3" using
 "su -" in FreeBSD
 4.10?

 P.D. I sent this message (twice) from gmail.com, but
 until now, it's doesn't appear in the historic of the
 list or in my gmail inbox.


Any ideas/suggestions?

 --
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org  - against proprietary attachments

More information about the freebsd-questions mailing list