Difference between revisions of "PAM"
(5 intermediate revisions by 3 users not shown) | |||
Line 2: | Line 2: | ||
== Remote Access Control == | == Remote Access Control == | ||
''/etc/pam.d/sshd'' contains <code>account required pam_access.so</code>.<br />''/etc/security/access.conf'' contains the rules for who can log into the machine. | ''/etc/pam.d/sshd'' contains <code>account required pam_access.so</code>.<br />''/etc/security/access.conf'' contains the rules for who can log into the machine. | ||
+ | |||
+ | ''/etc/pam.d/system-suth''<br/> | ||
+ | Should contain these lines otherwise ssh among other service will not authenticate to einstein.<br/> | ||
+ | <code> | ||
+ | auth sufficient pam_ldap.so use_first_pass<br/> | ||
+ | account required pam_unix.so broken_shadow<br/> | ||
+ | account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br/> | ||
+ | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br/> | ||
+ | password sufficient pam_ldap.so use_authtok<br/> | ||
+ | session optional pam_ldap.so<br/> | ||
+ | </code> | ||
Chart of what groups can log onto what machines: | Chart of what groups can log onto what machines: | ||
Line 23: | Line 34: | ||
| [[tomato]] || yes || no || yes || no || yes || | | [[tomato]] || yes || no || yes || no || yes || | ||
|- | |- | ||
− | | [[okra]] || yes || no || yes || no || yes || | + | | <strike>[[okra]]</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || |
|- | |- | ||
|} | |} | ||
Line 30: | Line 41: | ||
* adams | * adams | ||
* adrian | * adrian | ||
+ | * aduston | ||
* bm | * bm | ||
* bogdan | * bogdan | ||
Line 75: | Line 87: | ||
* dan | * dan | ||
* junnarkar | * junnarkar | ||
+ | * sam | ||
+ | * steve | ||
+ | * karpiustest | ||
+ | * sarahp | ||
== External Links == | == External Links == | ||
[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html pam_access PAM module document] | [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html pam_access PAM module document] |
Latest revision as of 20:16, 22 September 2014
"Pluggable Authentication Module." Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions.
Remote Access Control
/etc/pam.d/sshd contains account required pam_access.so
.
/etc/security/access.conf contains the rules for who can log into the machine.
/etc/pam.d/system-suth
Should contain these lines otherwise ssh among other service will not authenticate to einstein.
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
Chart of what groups can log onto what machines:
name | restricted by access.conf | no group | npg | farm | domain_admins | splunker |
---|---|---|---|---|---|---|
einstein | no | yes | yes | yes | yes | |
lentil | no | yes | yes | yes | yes | |
gourd | yes | no | yes | no | yes | |
roentgen | yes | no | yes | no | yes | |
taro | yes | no | no | yes | yes | |
pepper | yes | no | no | yes | yes | |
jalapeno | yes | no | no | no | yes | yes |
tomato | yes | no | yes | no | yes | |
Users in NPG
- adams
- adrian
- aduston
- bm
- bogdan
- dabagian
- dawson
- edh
- gavalian
- hersman
- hz5w
- iimothys
- iulian
- jhh
- johnk
- jrc
- karpiusp
- ketel
- lzana
- maurik
- mmason
- muradian
- nenchev
- octavian
- pjb
- protopop
- sgarman
- shepard
- silas
- wzm
- crowlebw
- hovanes
- cglynn
- wporter
- jketel
- ntadmin
- domain_admin
- bradford
- momi
- mccoyst
- minuti
- dal
- bbobbin
- ndelete
- kyle
- jishnu
- dan
- junnarkar
- sam
- steve
- karpiustest
- sarahp