Difference between revisions of "PAM"
From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search| (27 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | == Access Control == | + | "Pluggable Authentication Module." Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions. |
| + | == Remote Access Control == | ||
| + | ''/etc/pam.d/sshd'' contains <code>account required pam_access.so</code>.<br />''/etc/security/access.conf'' contains the rules for who can log into the machine. | ||
| + | |||
| + | ''/etc/pam.d/system-suth''<br/> | ||
| + | Should contain these lines otherwise ssh among other service will not authenticate to einstein.<br/> | ||
| + | <code> | ||
| + | auth sufficient pam_ldap.so use_first_pass<br/> | ||
| + | account required pam_unix.so broken_shadow<br/> | ||
| + | account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br/> | ||
| + | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br/> | ||
| + | password sufficient pam_ldap.so use_authtok<br/> | ||
| + | session optional pam_ldap.so<br/> | ||
| + | </code> | ||
Chart of what groups can log onto what machines: | Chart of what groups can log onto what machines: | ||
{| border="1" cellspacing="0" cellpadding="5" | {| border="1" cellspacing="0" cellpadding="5" | ||
| − | ! name | + | ! name !! restricted by access.conf !! no group !! npg !! farm !! domain_admins !! splunker |
| − | ! restricted by access.conf | + | |- |
| − | ! | + | | [[einstein]] || no || yes || yes || yes || yes || |
| − | ! npg | + | |- |
| − | ! farm | + | | [[lentil]] || no || yes || yes || yes || yes || |
| − | ! domain_admins | ||
|- | |- | ||
| − | | [[ | + | | [[gourd]] || yes || no || yes|| no || yes || |
| − | | no | + | |- |
| − | | | + | | [[roentgen]] || yes || no || yes || no || yes || |
| − | | yes | + | |- |
| − | | yes | + | | [[taro]] || yes || no || no || yes || yes || |
| − | | yes | ||
|- | |- | ||
| − | | [[ | + | | [[pepper]] || yes || no || no || yes || yes || |
| − | |||
| − | | | ||
| − | | yes | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | | | ||
| − | | no | ||
| − | | | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | | no | ||
| − | | | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | | yes | ||
| − | | | ||
| − | | yes | ||
| − | | | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|- | |- | ||
| − | | [[ | + | | [[jalapeno]] || yes || no || no || no || yes || yes |
| − | | yes | + | |- |
| − | | | + | | [[tomato]] || yes || no || yes || no || yes || |
| − | | yes | + | |- |
| − | | yes | + | | <strike>[[okra]]</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || |
| − | | yes | ||
|- | |- | ||
|} | |} | ||
| − | + | ||
| + | == Users in NPG == | ||
| + | * adams | ||
| + | * adrian | ||
| + | * aduston | ||
| + | * bm | ||
| + | * bogdan | ||
| + | * dabagian | ||
| + | * dawson | ||
| + | * edh | ||
| + | * gavalian | ||
| + | * hersman | ||
| + | * hz5w | ||
| + | * iimothys | ||
| + | * iulian | ||
| + | * jhh | ||
| + | * johnk | ||
| + | * jrc | ||
| + | * karpiusp | ||
| + | * ketel | ||
| + | * lzana | ||
| + | * maurik | ||
| + | * mmason | ||
| + | * muradian | ||
| + | * nenchev | ||
| + | * octavian | ||
| + | * pjb | ||
| + | * protopop | ||
| + | * sgarman | ||
| + | * shepard | ||
| + | * silas | ||
| + | * wzm | ||
| + | * crowlebw | ||
| + | * hovanes | ||
| + | * cglynn | ||
| + | * wporter | ||
| + | * jketel | ||
| + | * ntadmin | ||
| + | * domain_admin | ||
| + | * bradford | ||
| + | * momi | ||
| + | * mccoyst | ||
| + | * minuti | ||
| + | * dal | ||
| + | * bbobbin | ||
| + | * ndelete | ||
| + | * kyle | ||
| + | * jishnu | ||
| + | * dan | ||
| + | * junnarkar | ||
| + | * sam | ||
| + | * steve | ||
| + | * karpiustest | ||
| + | * sarahp | ||
| + | |||
| + | == External Links == | ||
| + | [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html pam_access PAM module document] | ||
Latest revision as of 20:16, 22 September 2014
"Pluggable Authentication Module." Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions.
Remote Access Control
/etc/pam.d/sshd contains account required pam_access.so.
/etc/security/access.conf contains the rules for who can log into the machine.
/etc/pam.d/system-suth
Should contain these lines otherwise ssh among other service will not authenticate to einstein.
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
Chart of what groups can log onto what machines:
| name | restricted by access.conf | no group | npg | farm | domain_admins | splunker |
|---|---|---|---|---|---|---|
| einstein | no | yes | yes | yes | yes | |
| lentil | no | yes | yes | yes | yes | |
| gourd | yes | no | yes | no | yes | |
| roentgen | yes | no | yes | no | yes | |
| taro | yes | no | no | yes | yes | |
| pepper | yes | no | no | yes | yes | |
| jalapeno | yes | no | no | no | yes | yes |
| tomato | yes | no | yes | no | yes | |
Users in NPG
- adams
- adrian
- aduston
- bm
- bogdan
- dabagian
- dawson
- edh
- gavalian
- hersman
- hz5w
- iimothys
- iulian
- jhh
- johnk
- jrc
- karpiusp
- ketel
- lzana
- maurik
- mmason
- muradian
- nenchev
- octavian
- pjb
- protopop
- sgarman
- shepard
- silas
- wzm
- crowlebw
- hovanes
- cglynn
- wporter
- jketel
- ntadmin
- domain_admin
- bradford
- momi
- mccoyst
- minuti
- dal
- bbobbin
- ndelete
- kyle
- jishnu
- dan
- junnarkar
- sam
- steve
- karpiustest
- sarahp
