HPE Community
Operating System - HP-UX
1834586 Members
3579 Online
110069 Solutions
New Discussion

Re: Reject login pam module

 
Hans-Dieter Gleich
New Member

‎02-14-2005 11:55 PM

‎02-14-2005 11:55 PM

Reject login pam module

Hi everybody,

we are running several HP machines (11.0 + 11i) which are configured as NIS clients.
Unfortunately the NIS-Servers are administred by other people. Using the logins command we have detected some additional root-users in NIS (various usernames with uid=0).
Now we are looking for a good method to prevent the login (via ssh, rlogin, telnet, su from another already logged in user) for uid = 0 and username != root.
One idea was to use PAM. I found the xadpam package, but it does not compile on HP.

Any suggestions are welcome

Hans-Dieter
0 Kudos
Reply
5 REPLIES 5
Robert-Jan Goossens
Honored Contributor

‎02-15-2005 12:12 AM

‎02-15-2005 12:12 AM

Re: Reject login pam module

Hello Hans-Dieter,

How about a combination of /etc/securetty + /etc/default/security

the /etc/securetty will prevent direct login to root

in the /etc/default/security you can add a SU_ROOT_GROUP=xxx

Check these links for more info.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=784797

http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000076457542

Hope this helps,
Robert-Jan
0 Kudos
Reply
Hans-Dieter Gleich
New Member

‎02-15-2005 12:52 AM

‎02-15-2005 12:52 AM

Re: Reject login pam module

Hello Robert-Jan,

thank you for your immediate reply. I believe it works for direct root-logins.
But what if the NIS-Admin creates a clone of our locally defined su_root_group (same groupname, same gid) and assigns a NIS-user. I suspect this NIS-user will be allowed to su to one of the "roots".

Hans-Dieter
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎02-15-2005 02:55 AM

‎02-15-2005 02:55 AM

Re: Reject login pam module

I'm not shure, you will have to try it yourself. su will first look for local groups before NIS groups.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎02-15-2005 08:07 PM

‎02-15-2005 08:07 PM

Re: Reject login pam module

You could simply add a small script to "/etc/profile" that checks if a user is already logged-in e.g.

U=$(whoami)
if who | grep "^${U}" > /dev/null ;then
echo "user already logged in"
sleep 2
logout
fi
0 Kudos
Reply
Hans-Dieter Gleich
New Member

‎02-17-2005 03:42 AM

‎02-17-2005 03:42 AM

Re: Reject login pam module

Hello again,

perhaps I should explain in more detail where the problem arises from: the admin of the NIS server is able to define a root alias and gain control over the NIS clients. Usually this may not be a problem when the NIS server admin and NIS client admin is the same person. In our case these are different people working for different companies.

Meanwhile we have defined all the root-aliases as local users in /etc/passwd so they cannot login. That works fine for the known users. But the NIS server admin is able to define another uid-0-user at any time.
I think what really would be helpful is a method to deny a users login on a combined username and uid basis (if uid = 0 and username != root then deny login).

Sorry for insisting ...

Hans-Dieter

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.