HPE Community
Operating System - HP-UX
1822439 Members
2795 Online
109642 Solutions
New Discussion юеВ

Reject login with PAM

 
Jim Krol
Advisor

тАО07-27-2005 10:13 AM

тАО07-27-2005 10:13 AM

Reject login with PAM

I am using pam to reject logins from certain accounts such as oracle, and force them to su to the account. It works to a point. This is what I have in pam.conf:

login auth required /usr/lib/security/libpam_updbe.1
login auth required /usr/lib/security/libpam_unix.1

and in pam_user.conf I have:

oracle auth /usr/lib/security/libpam_unix.1 use_psd
oracle session /usr/lib/security/libpam_unix.1 use_psd
oracle password /usr/lib/security/libpam_unix.1 use_psd
oracle account /usr/lib/security/libpam_unix.1 use_psd
oracle session /usr/lib/security/libpam_unix.1 use_psd

By using use_psd I get prompted for a PIN. I don't want the PIN prompt.Is there a way to just reject the login? If user oracle tries to login he gets rejected. Normal users can login as usual, but oracle has to su.

From reading the man I know there are all kinds of fancy checking you can do, but I just want to reject the login. Is there any instructions for writing pam modules. A simple module that if called would return a bad code to pam.

Jim Krol
0 Kudos
Reply
3 REPLIES 3
Muthukumar_5
Honored Contributor

тАО07-27-2005 05:07 PM

тАО07-27-2005 05:07 PM

Re: Reject login with PAM

You can do this with another way if you login with terminal based (non cde) as,

# Edit /etc/profile as,

if [[ ${LOGNAME} = "oracle" ]]
then
# First Try
su
rc=$?

if [[ $rc -ne 0 ]]
then
# Second Try
su
if [[ $rc -ne 0 ]]
then
echo "Sorry !! Going to exit"
sleep 1
exit 1
fi
fi
fi

After second try, it will prompt message and logs out.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО07-28-2005 12:15 AM

тАО07-28-2005 12:15 AM

Re: Reject login with PAM

In addition to what you already have in /etc/pam.conf, try adding the following line to /etc/pam_user.conf.

oracle auth /usr/lib/security/libpam_unix.1 use_first_pass

Here is the relevant section from pam_unix(5).

use_first_pass It compares the password in the password database
with the user's initial password (entered when the
user authenticated to the first authentication
module in the stack). If the passwords do not
match, or if no password has been entered, quit and
do not prompt the user for a password. This option
should only be used if the authentication service is
designated as optional in the pam.conf configuration
file.

In summary use_first_pass tells pam_unix not to prompt user for a password, but instead to use the password provided by the first module.

Since the first module in the stack (pam_updbe) does not check for passwords, no passwords will be passed to pam_unix and this will be interpreted as failure by pam_unix.

When oracle user tries to login to the system directly, 'login incorrect' will be printed immediately after login name is entered (there should be no password prompt).





0 Kudos
Reply
Jim Krol
Advisor

тАО07-28-2005 06:10 AM

тАО07-28-2005 06:10 AM

Re: Reject login with PAM

I forgot to add that these are trusted systems. Using the use_first pass parameter the acount gets locked when the user gets persistant. Is there a way to just consider the login a null event and not lock the account? Is there any documentation on how to write a libpam module? I would like to just reject the login and put out a message. I know I can do this in /etc/profile, but I don't consider /etc/profile a security mechanism. Thats why I am gravitating toward pam.

Jim Krol
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.