FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-08-2011, 07:41 PM
Mike VanHorn
 
Default restricting access to an NIS netgroup

I am using CentOS 5.7. I have an /etc/security/access.conf file which has
the following:

+ : root : LOCAL
+ : @mynetgroup : ALL
- : ALL : ALL

I thought this is supposed to restrict access to the system to only root
and the accounts in the mynetgroup netgroup; however, anyone NIS account
is still able to login. It appears that the access.conf is being ignored
completely, so I'm thinking there's something I'm missing.

How can I restrict access to a system based on NIS netgroups?

Thanks!

---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanhorn@wright.edu
http://www.engineering.wright.edu/~mvanhorn/




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-08-2011, 08:31 PM
Stephen Harris
 
Default restricting access to an NIS netgroup

On Tue, Nov 08, 2011 at 03:41:22PM -0500, Mike VanHorn wrote:
> How can I restrict access to a system based on NIS netgroups?

Change nsswitch.conf so that it reads
passwd: compat
passwd_compat: nis

And then in /etc/passwd
+@netgroup1::::::
+@netgroup2::::::

That way only users in the given netgroup(s) have visible accounts on the
machine.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-08-2011, 08:43 PM
"James A. Peltier"
 
Default restricting access to an NIS netgroup

----- Original Message -----
| On Tue, Nov 08, 2011 at 03:41:22PM -0500, Mike VanHorn wrote:
| > How can I restrict access to a system based on NIS netgroups?
|
| Change nsswitch.conf so that it reads
| passwd: compat
| passwd_compat: nis
|
| And then in /etc/passwd
| +@netgroup1::::::
| +@netgroup2::::::
|
| That way only users in the given netgroup(s) have visible accounts on
| the
| machine.
|
| --
|
| rgds
| Stephen
| _______________________________________________
| CentOS mailing list
| CentOS@centos.org
| http://lists.centos.org/mailman/listinfo/centos

acccess.conf supposed to support this type of functionality thereby not needing to modify /etc/passwd / /etc/shadow!?!

--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-08-2011, 09:46 PM
Paul Heinlein
 
Default restricting access to an NIS netgroup

On Tue, 8 Nov 2011, James A. Peltier wrote:

> acccess.conf supposed to support this type of functionality thereby
> not needing to modify /etc/passwd / /etc/shadow!?!

You'll probably need to add a pam_access.so reference to the stock
/etc/pam.d/password-auth. Make the first "account" line

account required pam_access.so

Also, I assume that your system can access your netgroups properly,
i.e., getent can see them:

getent netgroup $groupname

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-09-2011, 12:51 PM
Mike VanHorn
 
Default restricting access to an NIS netgroup

On 11/8/11 4:31 PM, "Stephen Harris" <lists@spuddy.org> wrote:
>
>On Tue, Nov 08, 2011 at 03:41:22PM -0500, Mike VanHorn wrote:
>How can I restrict access to a system based on NIS netgroups?
>
>Change nsswitch.conf so that it reads
> passwd: compat
> passwd_compat: nis
>
>And then in /etc/passwd
> +@netgroup1::::::
> +@netgroup2::::::
>
>That way only users in the given netgroup(s) have visible accounts on the
>machine.
>

This works. Thanks!


---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanhorn@wright.edu
http://www.engineering.wright.edu/~mvanhorn/



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-09-2011, 12:53 PM
Mike VanHorn
 
Default restricting access to an NIS netgroup

>You'll probably need to add a pam_access.so reference to the stock
>/etc/pam.d/password-auth. Make the first "account" line
>
> account required pam_access.so

My CentOS system doesn't have a stock password-auth file. I tried creating
one with that line in it, but that didn't work. Also, per some web pages I
found, I tried putting that line into system-auth, but that didn't work
either.

>Also, I assume that your system can access your netgroups properly,
>i.e., getent can see them:
>
> getent netgroup $groupname

Yes, that is working.

Fortunately, the solution provided on-list by Stephen Harris did work, but
I'm puzzled as to why this isn't.

---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanhorn@wright.edu
http://www.engineering.wright.edu/~mvanhorn/




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-09-2011, 05:43 PM
Joe Pruett
 
Default restricting access to an NIS netgroup

On 11/09/2011 05:53 AM, Mike VanHorn wrote:
>> You'll probably need to add a pam_access.so reference to the stock
>> /etc/pam.d/password-auth. Make the first "account" line
>>
>> account required pam_access.so
> My CentOS system doesn't have a stock password-auth file. I tried creating
> one with that line in it, but that didn't work. Also, per some web pages I
> found, I tried putting that line into system-auth, but that didn't work
> either.
i use this line in my /etc/pam.d/sshd file and it works correctly. i
don't have other services, so i haven't put it in system-auth (or
password-auth which is centos 6), but it does seem like it should work
there as well. keep in mind that other things may interfere, there is a
rule in system-auth that allows anyone with uid < 500 in, so that could
be clouding things for you.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-09-2011, 10:32 PM
Ross Walker
 
Default restricting access to an NIS netgroup

On Nov 9, 2011, at 8:53 AM, Mike VanHorn <michael.vanhorn@wright.edu> wrote:

>
>> You'll probably need to add a pam_access.so reference to the stock
>> /etc/pam.d/password-auth. Make the first "account" line
>>
>> account required pam_access.so
>
> My CentOS system doesn't have a stock password-auth file. I tried creating
> one with that line in it, but that didn't work. Also, per some web pages I
> found, I tried putting that line into system-auth, but that didn't work
> either.
>
>> Also, I assume that your system can access your netgroups properly,
>> i.e., getent can see them:
>>
>> getent netgroup $groupname
>
> Yes, that is working.
>
> Fortunately, the solution provided on-list by Stephen Harris did work, but
> I'm puzzled as to why this isn't.

Check out 'authconfig' man page.

It will setup your PAM and nsswitch files (and krb5.conf etc) appropriately. You just list the authentication mechanisms and their basic settings and it does the rest for you.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-10-2011, 03:26 AM
"James A. Peltier"
 
Default restricting access to an NIS netgroup

----- Original Message -----
| On Tue, 8 Nov 2011, James A. Peltier wrote:
|
| > acccess.conf supposed to support this type of functionality thereby
| > not needing to modify /etc/passwd / /etc/shadow!?!
|
| You'll probably need to add a pam_access.so reference to the stock
| /etc/pam.d/password-auth. Make the first "account" line
|
| account required pam_access.so
|
| Also, I assume that your system can access your netgroups properly,
| i.e., getent can see them:
|
| getent netgroup $groupname
|
| --
| Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
| _______________________________________________
| CentOS mailing list
| CentOS@centos.org
| http://lists.centos.org/mailman/listinfo/centos


authconfig --enablepamaccess --updateall does this for you.

--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org