Good afternoon,

I need to restric the access to some accounts, we are using FreeBSD
4.10, this is the configuration for "login" in /etc/pam.conf

login   auth    sufficient
login   auth    sufficient                     no_fake_prompts
#login  auth    requisite
login   auth    requisite
#login  auth    sufficient               try_first_pass
#login  auth    sufficient                     try_first_pass
login   auth    required                     try_first_pass
login   account required
login   password required
login   session required

And this is the content of /etc/login.access:

-:ALL EXCEPT user user1 : ALL

If we do "su - user3" in FreeBSD 4.10 the result is that we become
"user3" succesfully, and no restricction message appears.

% su - user3

With FreeBSD 6.1/6.2, we are able to restrict the access if the
account isn't appear in /etc/login.access, for example:

-:ALL EXCEPT user user1 user2 : ALL

And this is the content of /etc/pamd./login:

# PAM configuration for the "login" service

# auth
auth            required          no_warn
auth            sufficient             no_warn
auth            include         system

# account
account         requisite
account         include         system

# session
session         include         system

# password
password        include         system

If we are using the account "user" and whant to change to "user3"
using "su -" this never happen:

% su - user3
pam_login_access: pam_sm_acct_mgmt: user3 is not allowed to log in on /dev/ttyp0
su: Sorry

Which is exactly what we need, but for FreeBSD 4.10.

There are differences between 4.10 and 6.1/6.2 for the configuration
of PAM and all it's modules, but the configuration for login.acces is
the same.

We read the documentation at the FreeBSD site about login.access and
there is no difference for the sintaxis of this file.

We also had read the man for login/pam/login.conf/login.access.

The file "login.conf" is the same for 4.10 and 6.1/6.2, we didn't
modified it's content.

Is there another configuration file we are missing that should be
modified to restrict the "user" become "user3" using "su -" in FreeBSD
()  ascii ribbon campaign - against html e-mail
/\  - against proprietary attachments
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to