Difference between revisions of "PAM"
| (4 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
== Remote Access Control == | == Remote Access Control == | ||
''/etc/pam.d/sshd'' contains <code>account required pam_access.so</code>.<br />''/etc/security/access.conf'' contains the rules for who can log into the machine. | ''/etc/pam.d/sshd'' contains <code>account required pam_access.so</code>.<br />''/etc/security/access.conf'' contains the rules for who can log into the machine. | ||
| + | |||
| + | ''/etc/pam.d/system-suth''<br/> | ||
| + | Should contain these lines otherwise ssh among other service will not authenticate to einstein.<br/> | ||
| + | <code> | ||
| + | auth sufficient pam_ldap.so use_first_pass<br/> | ||
| + | account required pam_unix.so broken_shadow<br/> | ||
| + | account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br/> | ||
| + | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br/> | ||
| + | password sufficient pam_ldap.so use_authtok<br/> | ||
| + | session optional pam_ldap.so<br/> | ||
| + | </code> | ||
Chart of what groups can log onto what machines: | Chart of what groups can log onto what machines: | ||
| Line 23: | Line 34: | ||
| [[tomato]] || yes || no || yes || no || yes || | | [[tomato]] || yes || no || yes || no || yes || | ||
|- | |- | ||
| − | | [[okra]] || yes || no || yes || no || yes || | + | | <strike>[[okra]]</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || |
|- | |- | ||
|} | |} | ||
| Line 30: | Line 41: | ||
* adams | * adams | ||
* adrian | * adrian | ||
| + | * aduston | ||
* bm | * bm | ||
* bogdan | * bogdan | ||
Latest revision as of 20:16, 22 September 2014
"Pluggable Authentication Module." Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions.
Remote Access Control
/etc/pam.d/sshd contains account required pam_access.so.
/etc/security/access.conf contains the rules for who can log into the machine.
/etc/pam.d/system-suth
Should contain these lines otherwise ssh among other service will not authenticate to einstein.
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
Chart of what groups can log onto what machines:
| name | restricted by access.conf | no group | npg | farm | domain_admins | splunker |
|---|---|---|---|---|---|---|
| einstein | no | yes | yes | yes | yes | |
| lentil | no | yes | yes | yes | yes | |
| gourd | yes | no | yes | no | yes | |
| roentgen | yes | no | yes | no | yes | |
| taro | yes | no | no | yes | yes | |
| pepper | yes | no | no | yes | yes | |
| jalapeno | yes | no | no | no | yes | yes |
| tomato | yes | no | yes | no | yes | |
Users in NPG
- adams
- adrian
- aduston
- bm
- bogdan
- dabagian
- dawson
- edh
- gavalian
- hersman
- hz5w
- iimothys
- iulian
- jhh
- johnk
- jrc
- karpiusp
- ketel
- lzana
- maurik
- mmason
- muradian
- nenchev
- octavian
- pjb
- protopop
- sgarman
- shepard
- silas
- wzm
- crowlebw
- hovanes
- cglynn
- wporter
- jketel
- ntadmin
- domain_admin
- bradford
- momi
- mccoyst
- minuti
- dal
- bbobbin
- ndelete
- kyle
- jishnu
- dan
- junnarkar
- sam
- steve
- karpiustest
- sarahp
