search for: pam_namespace

...gt; While XDG_SESSION_CLASS and XDG_SESSION_TYPE variables mentioned by Michal > are harmless, those LC_* variables AcceptEnv'ed in many default setups are > also likely to be OK, allowing arbitrary variables listed in AcceptEnv > could be risky given that some PAM session modules like pam_namespace and > pam_exec invoke external executables and could be affected by e.g. LD_* > variables. > > If we're aiming for flexibility without sacrificing security, then a new > sshd_config keyword (e.g. PAMSessionAcceptEnv) could be added to specify > what is allowed to be forwarded...

On Wed, Apr 15, 2015 at 5:01 PM, Matthew Miller <mattdm at mattdm.org> wrote: > On Wed, Apr 15, 2015 at 04:15:23PM -0500, Les Mikesell wrote: >> > Why does this directory have to be /tmp rather than a specific >> > directory belonging to twiki? >> Twiki is a perl web application run under apache. It doesn't have its >> own uid. It doesn't

...ithout systemd? That just happened > to be the first thing I've tried to move over that wasn't already > packaged and adapted - I expect to hit many more. This isn't really a systemd thing. It's a standard Linux kernel feature, which could also be enabled with (for example) pam_namespace. Systemd happens to make it easy, so we started enabling it for services which would benefit on Fedora, and that was inherited into RHEL and CentOS. See the change page for this <https://fedoraproject.org/wiki/Features/ServicesPrivateTmp>. If you're really interested in learning every po...

....so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke #session optional pam_motd.so session include password-auth session include postlogin Using this configuration will throw the following output: [myuser at rhel9vc ~]$ ssh localhost (myuser at localhost) Password: hello...

...ESSION_CLASS and XDG_SESSION_TYPE variables mentioned by Michal > > are harmless, those LC_* variables AcceptEnv'ed in many default setups are > > also likely to be OK, allowing arbitrary variables listed in AcceptEnv > > could be risky given that some PAM session modules like pam_namespace and > > pam_exec invoke external executables and could be affected by e.g. LD_* > > variables. > > > > If we're aiming for flexibility without sacrificing security, then a new > > sshd_config keyword (e.g. PAMSessionAcceptEnv) could be added to specify > > w...

...just happened >> to be the first thing I've tried to move over that wasn't already >> packaged and adapted - I expect to hit many more. > > This isn't really a systemd thing. It's a standard Linux kernel > feature, which could also be enabled with (for example) pam_namespace. > Systemd happens to make it easy, so we started enabling it for services > which would benefit on Fedora, and that was inherited into RHEL and > CentOS. See the change page for this > <https://fedoraproject.org/wiki/Features/ServicesPrivateTmp>. > > If you're really in...

Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed