My words on free/open source software

Monday, June 11, 2007

Disable one user's remote login on Linux

I have to disable one particular user's remote login on Linux, sounds simple, but it costed me some time. The normal way is to change PAM settings, using pam_access.so to control user login. Following steps are tested on Red Hat Linuxes (Fedora, RHEL, CentOS, etc.)

First you should enable pam_access.so:

  1. Unlink "/etc/pam.d/system-auth", which is a link to "/etc/pam.d/system-auth-ac".

  2. Create a new "/etc/pam.d/system-auth", includes all settings from "/etc/pam.d/system-auth-ac", like this:

    auth include system-auth-ac
    account include system-auth-ac
    password include system-auth-ac
    session include system-auth-ac

  3. Insert "pam_access.so":

    auth include system-auth-ac
    account required pam_access.so
    account include system-auth-ac
    password include system-auth-ac
    session include system-auth-ac



Now you can config pam_access.so by editing "/etc/security/access.conf", like this:

+ : player : LOCAL
- : player : ALL


For more info, read "man access.conf".

2 comments:

Nil said...

Short way:

In file
/etc/pam.d/ssh
Uncomment the line:
account required pam_access.so

In file
/etc/security/access.conf
Add the line:
-:abc:ALL EXCEPT LOCAL

Cristian said...

Thanks!

About Me

My photo
Santa Cruz, California, United States