login.access, login and su.

Tuareg tuaregmex at gmail.com
Tue Oct 16 07:51:42 PDT 2007

Good afternoon,

 I need to restric the access to some accounts, we are
 using FreeBSD
 4.10, this is the configuration for "login" in

 login   auth    sufficient      pam_skey.so
 login   auth    sufficient      pam_opie.so
 #login  auth    requisite       pam_opieaccess.so
 login   auth    requisite
 #login  auth    sufficient      pam_kerberosIV.so
 #login  auth    sufficient      pam_krb5.so
 login   auth    required        pam_unix.so
 login   account required        pam_unix.so
 login   password required       pam_permit.so
 login   session required        pam_permit.so

 And this is the content of /etc/login.access:

 -:ALL EXCEPT user user1 : ALL

 If we do "su - user3" in FreeBSD 4.10 the result is
 that we become
 "user3" succesfully, and no restricction message

 % su - user3

 With FreeBSD 6.1/6.2, we are able to restrict the
 access if the
 account isn't appear in /etc/login.access, for

 -:ALL EXCEPT user user1 user2 : ALL

 And this is the content of /etc/pamd./login:

 # PAM configuration for the "login" service

 # auth
 auth            required        pam_nologin.so
 auth            sufficient      pam_self.so
 auth            include         system

 # account
 account         requisite       pam_securetty.so
 account         include         system

 # session
 session         include         system

 # password
 password        include         system

 If we are using the account "user" and whant to change
 to "user3"
 using "su -" this never happen:

 % su - user3
 pam_login_access: pam_sm_acct_mgmt: user3 is not
 allowed to log in on /dev/ttyp0
 su: Sorry

 Which is exactly what we need, but for FreeBSD 4.10.

 There are differences between 4.10 and 6.1/6.2 for the
 of PAM and all it's modules, but the configuration for
 login.acces is
 the same.

 We read the documentation at the FreeBSD site about
 login.access and
 there is no difference for the sintaxis of this file.

 We also had read the man for

 The file "login.conf" is the same for 4.10 and
 6.1/6.2, we didn't
 modified it's content.

 Is there another configuration file we are missing
 that should be
 modified to restrict the "user" become "user3" using
 "su -" in FreeBSD

 P.D. I sent this message (twice) from gmail.com, but
 until now, it's doesn't appear in the historic of the
 list or in my gmail inbox.

Any ideas/suggestions?

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org  - against proprietary attachments

More information about the freebsd-questions mailing list