On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo <natxo.ase...@gmail.com>wrote:

> On 07/08/2013 07:44 PM, KodaK wrote:
>> We've just discovered that AIX does not honor HBAC rules with telnet.
>>   ssh is fine.
> no AIX expericence, but I once overheard someone that did something like
> this using pam and apparently you could use the pam_permission module:
> http://pic.dhe.ibm.com/**infocenter/aix/v6r1/index.jsp?**
> topic=%2Fcom.ibm.aix.files%**2Fdoc%2Faixfiles%2Fpam_**permission.htm<http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm>
> so you could add this to /etc/pam.conf
> telnet auth requisite /usr/lib/security/pam_**permission
> file=/etc/pam.groups.telnet found=allow
> and create the file /etc/pam.groups.telnet with info like this:
> +@mygroup1
> +@mygroup2
> -@mygroup3
> in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
> denied access.
> You could even harden it even more with good old tcp_wrappers
> (hosts.allow, hosts.deny).
> If you have a config tool (cfengine, puppet, whatever), this could be
> quite easy to distribute once properly tested.
> Totally untested :-) but maybe worth a shot.

Thanks.  I'm stuck though.

IBMs insistence on doing everything Not Unix in AIX is frustrating my

1) they don't use straight up PAM.  They have some older version they
include with the OS.
2) their version has very few modules that come with it.  It does, however,
have pam_permissions,
    but does not include pam_krb5.

Here's the list:

pam_aix          pam_allowroot    pam_mkuserhome   pam_prohibit
pam_allow        pam_ckfile       pam_permission   pam_rhosts_auth

That's a far cry from the 69 or so pam modules I see on Linux boxes.

Before I can move on I have to get pam_krb5 to build for AIX and that's
proving to be very difficult.

I'm hoping the pam_hbac thing will pan out.

I'm about ready to just yank Kerberos from the AIX machines and fall back
to local authentication.
The actual AIX admins seem to have no interest in helping me, so they can
reap what they
sow with their inaction and have to manage individual users on individual

The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
Freeipa-users mailing list

Reply via email to