[plug] Login Restrictions
James Devenish
devenish at guild.uwa.edu.au
Sat Jul 17 19:14:22 WST 2004
In message <6.1.2.0.2.20040717170923.01dde9a8 at 127.0.0.1>
on Sat, Jul 17, 2004 at 05:12:08PM +0800, Tim White wrote:
> I wish to be able to prevent a user from local[1] login without preventing
> network access. I know that putting /bin/false in for their shell will
> prevent text based logins but not graphical logins.
Okay, don't change your users' shells (because that will interfere with
SSH). Console text logins are usually mediated by processes called
`getty` or `ttymon` (name varies with platform) which will then hand off
to `login` once a username and password are entered. On your system, it
is possible that `login` will use "PAM" for authentication. If so, have
a look at /etc/security/access.conf. Make the appropriate additions,
then enable this file by editing /etc/pam.d/login (search the latter for
the string 'access.conf'). Be warned that I might be completely off
track, so don't expect miracles ;-) As for console X11 logins, that
might depend on your display manager (e.g. xdm, gdm, kdm). If yours uses
PAM, then find the appropriate file in /etc/pam.d (e.g. /etc/pam.d/gdm)
and make the same sort of modification that you made in
/etc/pam.d/login. I'm just guessing. Maybe let us know whether it works,
fails or locks you out of your system ;-)
More information about the plug
mailing list