Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: using PAM to permit local users.

from [Ron Wheeler] Network Security [Permanent Link]
Subject: RE: using PAM to permit local users.
Date: Sat, 1 Apr 2006 22:17:41 -0500 
I updated pam_access to work for all of the PAM controls and it seems to be 
doing the job.
I still have to test it from outside the local network to be sure.

Do you know if anyone would be interested in incorporating the changes that I 
made to .77 version?

With very minor mods, they should work for the .99 version as well.

PAM seems very useful once you get into it. It does not seem to have the 
documentation that would be required for most people to get more out of it. Too 
much "inside the beltway" for the average system administrator.


I suppose in a web-centric world, there are other more obvious ways to skin a 
cat but one wonders how useful it could be if there was some documentation. It 
certainly seems like a very good idea and quite flexible from what I can figure 
out.

Thanks to everyone for the advice and encouragement. You were right, it can be 
made to do what I want.


Ron

-----Original Message-----
From: Barry Brimer [mailto:barry.brimer@bigfoot.com]
Sent: March 31, 2006 6:13 PM
To: Ron Wheeler
Subject: Re: using PAM to permit local users.


Quoting Ron Wheeler <rwheeler@silonex.com>:


I am using pam_listfile to permit a small list of users to have access to
sshd no matter where they log in
I also have to permit ssh access to any user on our local network. With
listfiles I have to list every machine name on the network. This is bit of a
pain.

If listfiles understood wildcards, it would be ok. (*.silonex.com)

To go at the problem more directly, how hard would it be to build a new
plug-in to take a network description and determine if the user is attached
to that network?

auth required pam_localnet sense=allow          tests for 192.168.x.x or
10.x.x.x or ??? (I think there is one other private address range)

OR

auth required pam_net sense=allow net=192.168.1.0,205.151.82.0         test
for an arbitrary network  this is more complex but perhaps more useful.

This would solve my problem

auth   [success=1]   pam_listfile.so sense=allow file=/etc/sshd/allowedusers
auth   required         pam_localnet.so sense=allow
auth   required         pam_winbind.so
auth   required         pam_nologin.so


Have you considered pam_access?

Barry
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: using PAM to permit local users., Ron Wheeler <=
Previous by Date:  RE: PAM and SSH, Ron Wheeler
Next by Date:  not preserving timestamps, Scott D. Anderson
Previous by Thread:  RE: PAM and SSH, Ron Wheeler
Next by Thread:  not preserving timestamps, Scott D. Anderson
Indexes:  [Date] [Thread] [Top] [All Lists]