Difference between revisions of "PAM"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
"Pluggable Authentication Module."  Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions.
 
"Pluggable Authentication Module."  Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions.
== Access Control ==
+
== Remote Access Control ==
''/etc/pam.d/sshd'' contains <code>account    required    pam_access.so</code>. ''/etc/security/access.conf'' contains the rules for who can log into the machine.
+
''/etc/pam.d/sshd'' contains <code>account    required    pam_access.so</code>.<br />''/etc/security/access.conf'' contains the rules for who can log into the machine.
 +
 
 +
''/etc/pam.d/system-suth''<br/>
 +
Should contain these lines otherwise ssh among other service will not authenticate to einstein.<br/>
 +
<code>
 +
auth        sufficient    pam_ldap.so use_first_pass<br/>
 +
account    required      pam_unix.so broken_shadow<br/>
 +
account    [default=bad success=ok user_unknown=ignore] pam_ldap.so<br/>
 +
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br/>
 +
password    sufficient    pam_ldap.so use_authtok<br/>
 +
session    optional      pam_ldap.so<br/>
 +
</code>
  
 
Chart of what groups can log onto what machines:
 
Chart of what groups can log onto what machines:
 
{| border="1" cellspacing="0" cellpadding="5"
 
{| border="1" cellspacing="0" cellpadding="5"
! name !! restricted by access.conf !! nogroup !! npg !! farm !! domain_admins
+
! name !! restricted by access.conf !! no group !! npg !! farm !! domain_admins !! splunker
 
|-
 
|-
| [[einstein]] || no || yes || yes || yes || yes
+
| [[einstein]] || no || yes || yes || yes || yes ||
 
|-
 
|-
| [[lentil]] || no || yes || yes || yes || yes
+
| [[lentil]] || no || yes || yes || yes || yes ||
 
|-
 
|-
| [[gourd]] || yes || yes || yes|| yes || yes
+
| [[gourd]] || yes || no || yes|| no || yes ||  
 
|-  
 
|-  
| [[roentgen]] || yes || no || yes || no || yes
+
| [[roentgen]] || yes || no || yes || no || yes ||
 
|-  
 
|-  
| [[taro]] || yes || no || yes || no || yes
+
| [[taro]] || yes || no || no || yes || yes ||  
 
|-
 
|-
| [[pepper]] || yes || no || no || yes || yes
+
| [[pepper]] || yes || no || no || yes || yes ||
 
|-
 
|-
| [[jalapeno]] || yes || no || yes || no || yes
+
| [[jalapeno]] || yes || no || no || no || yes ||  yes
 
|-
 
|-
| [[tomato]] || no || yes || yes || yes || yes
+
| [[tomato]] || yes || no || yes || no || yes ||  
 
|-
 
|-
| [[okra]] || yes || no || yes || no || yes
+
| <strike>[[okra]]</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> || <strike>no</strike> || <strike>yes</strike> ||
 
|-
 
|-
 
|}
 
|}
 +
 +
== Users in NPG ==
 +
* adams
 +
* adrian
 +
* aduston
 +
* bm
 +
* bogdan
 +
* dabagian
 +
* dawson
 +
* edh
 +
* gavalian
 +
* hersman
 +
* hz5w
 +
* iimothys
 +
* iulian
 +
* jhh
 +
* johnk
 +
* jrc
 +
* karpiusp
 +
* ketel
 +
* lzana
 +
* maurik
 +
* mmason
 +
* muradian
 +
* nenchev
 +
* octavian
 +
* pjb
 +
* protopop
 +
* sgarman
 +
* shepard
 +
* silas
 +
* wzm
 +
* crowlebw
 +
* hovanes
 +
* cglynn
 +
* wporter
 +
* jketel
 +
* ntadmin
 +
* domain_admin
 +
* bradford
 +
* momi
 +
* mccoyst
 +
* minuti
 +
* dal
 +
* bbobbin
 +
* ndelete
 +
* kyle
 +
* jishnu
 +
* dan
 +
* junnarkar
 +
* sam
 +
* steve
 +
* karpiustest
 +
* sarahp
  
 
== External Links ==
 
== External Links ==
 
[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html pam_access PAM module document]
 
[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html pam_access PAM module document]

Latest revision as of 20:16, 22 September 2014

"Pluggable Authentication Module." Programs that are aware of PAM use the modules defined in the PAM configuration files for making authentication/access decisions.

Remote Access Control

/etc/pam.d/sshd contains account required pam_access.so.
/etc/security/access.conf contains the rules for who can log into the machine.

/etc/pam.d/system-suth
Should contain these lines otherwise ssh among other service will not authenticate to einstein.
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so

Chart of what groups can log onto what machines:

name restricted by access.conf no group npg farm domain_admins splunker
einstein no yes yes yes yes
lentil no yes yes yes yes
gourd yes no yes no yes
roentgen yes no yes no yes
taro yes no no yes yes
pepper yes no no yes yes
jalapeno yes no no no yes yes
tomato yes no yes no yes
okra yes no yes no yes

Users in NPG

  • adams
  • adrian
  • aduston
  • bm
  • bogdan
  • dabagian
  • dawson
  • edh
  • gavalian
  • hersman
  • hz5w
  • iimothys
  • iulian
  • jhh
  • johnk
  • jrc
  • karpiusp
  • ketel
  • lzana
  • maurik
  • mmason
  • muradian
  • nenchev
  • octavian
  • pjb
  • protopop
  • sgarman
  • shepard
  • silas
  • wzm
  • crowlebw
  • hovanes
  • cglynn
  • wporter
  • jketel
  • ntadmin
  • domain_admin
  • bradford
  • momi
  • mccoyst
  • minuti
  • dal
  • bbobbin
  • ndelete
  • kyle
  • jishnu
  • dan
  • junnarkar
  • sam
  • steve
  • karpiustest
  • sarahp

External Links

pam_access PAM module document