search for: pam_listfile

Hi, I'm trying to use pam_listfile.so to deny logins from all others but few users (names in /etc/loginusers). With password authentication it works fine, but with public key authentication OpenSSH lets in users whose names arent't in /etc/loginusers. AllowUsers in sshd_config does what one would expect. I'm using OpenS...

hi all, i'm setting up Dovecot on OSX to use PAM authentication against a flat_file/static userdb (tho i will _eventually_ mv to pgsql ...). iiuc, to do so i need something like: =================================== (EDITOR) /etc/pam.d/dovecot.imap auth required pam_listfile.so item=user sense=allow file=/var/dovecot/imapusers onerr=fail =================================== for a userdb listing in "/var/imapuser". all simple & good, except -- -- where's "pam_listfile.so" on OSX? % ls /usr/lib/pam/ pam_afpmount.so pam_nologin.so...

We use samba 2.2.9 with winbind. We use winbind for authentication. I was able to selectively limit pop3 use among winbind users on redhat 9 with this pam configuration. (As you would use it in ftpusers, in the reverse sense.) auth required /lib/security/pam_listfile.so item=user onerr=fail sense=allow file=/etc/pop3users This is the best solution for my situation, and I want to have that on my Solaris servers as well. However, I couldn't find from my long searches whether there's an equivalent of pam_listfile.so for solaris. I understand users can m...

Hi, I'm trying to control access to different services on an Debian server using /etc/group. So that a user I create for FTP usage doesn't fill up my server with IMAP folders or samba garbage. Services like proftpd have: "AllowGroup ftpgroup" sshd have "AllowGroups sshgroup" And samba have "valid users = @smbgroup" But I can't find the correct

...c/pam.d/ there are two files: dovecot-pop3 dovecot-imap dovecot-pop3: #%PAM-1.0 @include common-auth @include common-account @include common-session (for this protocol everything works fine, I don't want to limit it.) dovecot-imap: #%PAM-1.0 @include common-auth auth sufficient pam_listfile.so item=rhost sense=allow file=/etc/dovecot/imaphosts onerr=fail auth required pam_listfile.so item=user sense=allow file=/etc/dovecot/imapusers onerr=fail @include common-account @include common-session If I'm not wrong, once the user is authenticated, PAM checks if the remote...

...to authenticate with password for each virsh use. I'm using SASL + saslauthd + PAM for that case. /etc/sasl2/libvirt.conf: mech_list: PLAIN pwcheck_method: saslauthd /etc/sasl2/qemu.conf: mech_list: PLAIN pwcheck_method: saslauthd /etc/pam.d/libvirt: auth requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group auth required pam_tally2.so onerr=succeed auth required pam_nologin.so auth required pam_unix.so try_first_pass likeauth nullok account requisite pam_listfile.so item=...

...ups" results are not updated no matter the amount of elapsed time. It should be noted that if I stop winbind and delete *.tdb then restart, updated info is returned by "wbinfo" and "groups" but again, next changes will not be reflected. Why do I care? I am trying to use pam_listfile.so to control what ADS accounts can log on to the box (by group membership). Pam_listfile is not "seeing" updated group membership when winbind caching is enabled. Somewhat ironically pam_winbind.so "sees" things correctly I suppose because it never consults the cache. What am...

I''m guessing this is a common use case, but I wasn''t able to find anything in the site FAQ. We''re looking at using Puppet on about 100 servers to control which user groups have access to which servers. The use case is as follows: We have Groups of servers, for example: CUSTOMERservers (serverA, serverB, ...,serverK) ADMINISTRATIVEservers

I have my Redhat 5.4 linux server fully integrated into my companies AD.? The biggest issue I have is that I am using a rid backend which means that anyone with an AD account can log into the server.? So my quesiton is, how can I restrict server login via AD groups?? I have tried using pam?with pam_listfile, but for some reason it does not work, I keep getting errors about sshd refusing the user.? I can use this config for su restrictions but not logins. I keep getting the following error in /var/log/secure: pam_listfile(sshd:auth): Refused user DOMAIN+user for service sshd Does anyone have a work...

I'd like to toss a feature request on the table for consideration. We currently use a different popd because of a feature that allows us to restrict pop access based upon an allowed users list. This is the only thing that keeps us from using the popd in dovecot currently. It's a simple text file of usernames that are allowed to use pop, if the name isn't in that list then pop

...ing [pam.d] for this as per http://wiki.dovecot.org/Authentication/RestrictAccess but although I am not getting any errors, all users are still allowed access unless I block them with [vmoduser -i]. In [dovecot.conf] I have: passdb pam { args = * } In [/etc/pam.d/imap] I have: auth required pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail And in [/etc/imapusers] I have specified the only users that should have access. Any ideas why this isn't working? ------------------------------------------------------- 2. Allow access for all users coming from a specific IP -------...

...id=0 auid=0 subj=root:system_r:ftpd_t:s0 msg='PAM: authentication acct="user" : exe="/usr/sbin/vsftpd" (hostname=hostname, addr=1.2.3.4, terminal=ftp res=failed)' cat /etc/pam.d/vsftpd #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so # grep local /etc/vsftpd/vsftpd.conf local_enable=YES local_umask=0...

Hello. Tried search, no luck, sorry, if this is already answered, but I'm still looking a solution using pam_auth how to define in dovecot which user can access which protocol, for example, default is: protocols = pop3 pop3s imap imaps I'd like to use something like this: exclude_using_pop = user1, user2, @group exclude_using_pops = user1, user2, @group exclude_using_imap = user1,

...tive-directory-member/krb5.conf"; "/etc/pam.d/common-auth": source => "puppet:///files/apps/active-directory-member/common-auth"; "/etc/security/users.conf": source => [ "puppet:///files/apps/pam_listfile/users.conf.$hostname", "puppet:///files/apps/pam_listfile/users.conf.default" ]; } exec { "netjoin": command => "/usr/bin/net rpc join -U account%password", creates => "/var/lib...

...standing that PAM-stuff and I have some pressure to get that ftp-server up, so please would someone help me out? My file: This one is heavily edited now, as I played trial and error for hours. # cat /etc/pam.d/vsftpd #%PAM-1.0 # Uncomment this to achieve what used to be ftpd -A. # auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_shells.so account sufficient pam_winbind.so account required p...

...ckage: logcheck-database Version: 1.2.61 Severity: wishlist File: /etc/logcheck/ignore.d.server/proftpd Two weeks ago, I got a rush of these: Sep 8 12:37:07 goretex proftpd: PAM-listfile: Refused user news for service proftpd (Apparently, fail2ban managed to miss those.) This is triggered by pam_listfile, which is used by proftpd (and other FTP daemons) to block users listed in /etc/ftpusers. Given how lazy I am, I simply wrote a rule for my own particular daemon: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: PAM-listfile: Refused user [-_.[:alnum:]]+ for service proftpd$ I'm not sure how y...

...in.txt>> <<passwd.txt>> <<samba.txt>> > <<smb.conf>> <<su.txt>> <<smb_server.conf>> > > > Thanks > > Tameika Reed > -------------- next part -------------- #%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed #this line was changed should be pam_pwdb auth sufficient /lib/security/pam_winbind.so shadow auth required /lib/security/pam_shells.so #this line was changed should be pam_pwdb account required /lib/security/pam_winbind.so...

..., but obviously access isn't denied anymore. this is still curious since pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO message via the same conversation mechanism. here is the pam config ive tested with: #%PAM-1.0 auth requisite pam_noulogin.so auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed auth required pam_unix.so auth required pam_env.so # [1] auth required pam_shells.so account requisite pam_noulogin.so account required pam_unix.so session required pam_unix.so session required p...

...in.txt>> <<passwd.txt>> <<samba.txt>> > <<smb.conf>> <<su.txt>> <<smb_server.conf>> > > > Thanks > > Tameika Reed > -------------- next part -------------- #%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed #this line was changed should be pam_pwdb auth sufficient /lib/security/pam_winbind.so shadow auth required /lib/security/pam_shells.so #this line was changed should be pam_pwdb account required /lib/security/pam_winbind.so...

...want to change anything? > > OK, I have installed proftpd on a Debian Jessie Samba 4.3.0 domain member and set it up to use AD for authentication and it works for me (note, I did not use ldap authentication, I used PAM) My PAM setup is this: /etc/pam.d/proftpd auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed @include common-auth @include common-account @include common-session /etc/pam.d/common-auth auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_p...