search for: pam_tim

I am investigating how to limit user logins via sshd to specific times of day. I have the basic syntax but what I want to know is how does pam_time.so process time.conf. Say I have a clutch of users that should login between 07:00 and 18:00 Monday to Friday. I infer that the following will handle that: sshd;*;*,Wk0700-1800 However, what is not clear to me is how does one permit certain userids additional login periods while handling the...

...just a question to see if what I want to do can be done, since I have had no luck in doing it so far... I have set up a 2.2.3a domain controller, and I can join Windows XP clients to the domain, and log in as domain users. I want to use PAM to enforce account restrictions, such as login time using pam_time. I currently have the *stacked* version of the /etc/pam.d/samba file installed, and I have modified my /etc/pam.d/system-auth file to look as such: --cut account requisite /lib/security/pam_time.so account required /lib/security/pam_unix.so --cut I have a feeling that the restrictions are w...

Hi, is there a dovecot feature I did not found yet, which can limit the access to the server to special timeslots like working hours? Or is that a serverside / sssd / auth / pam / account feature? Thanks for hints to some helpfull documentation and sugesstions. Regards . G?tz -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type:

...included in sshd: #### /etc/pam.d/system-auth auth requisite pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so auth optional pam_smbpass.so migrate account required pam_unix.so account optional pam_permit.so account required pam_time.so password requisite pam_unix.so try_first_pass nullok sha512 shadow password optional pam_smbpass.so try_first_pass nollok password optional pam_permit.so session required pam_limits.so session required pam_unix.so session optional pam_permit.so Now if I try to login with te...

.../system-auth > auth requisite pam_unix.so try_first_pass nullok > auth optional pam_permit.so > auth required pam_env.so > auth optional pam_smbpass.so migrate > account required pam_unix.so > account optional pam_permit.so > account required pam_time.so > password requisite pam_unix.so try_first_pass nullok sha512 shadow > password optional pam_smbpass.so try_first_pass nollok > password optional pam_permit.so > session required pam_limits.so > session required pam_unix.so > session optional pam_permit.so &...

The denyUsers / AllowUsers option in openSSH does not satisfy our needs. We want to supply our own software to allow/deny sessions based on time of day. I do not know if PAM can do this, but in any case we can not use PAM. ? Did someone do such a change in openSSH code

...lent into the agent or into such a library. the key agent would send notifications when keys exceed their lifetime. in fact, this is a major missing component of PAM. in this context it might even make sense to create meta-entries for kerberos tokens and even unix passwords (with close relation to pam_time/pam_group). end-user/desktop applications (password managers, ssh, gpg, etc.) would use the keys stored in the agent - obviously. a buzz word that comes to mind is x.509 compliance, but i really have no idea what that would include. as far as security goes, i really need some input. possible co...

With OpenSSH 2.9.9p2 as the server, I'm not able to do scp or "ssh machinename command" in general to any of my Suns! I tracked this down a bit; the problem occurs only when PAM support is enabled. However, if I remove line 430 of session.c, "do_pam_session(s->pw->pw_name, NULL);" inside of do_exec_no_pty, the problem goes away. It looks like the following entry

https://bugzilla.mindrot.org/show_bug.cgi?id=2499 Bug ID: 2499 Summary: It would be nice to have a tool to manage ssh connections Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd

.../system-auth > auth requisite pam_unix.so try_first_pass nullok > auth optional pam_permit.so > auth required pam_env.so > auth optional pam_smbpass.so migrate > account required pam_unix.so > account optional pam_permit.so > account required pam_time.so > password requisite pam_unix.so try_first_pass nullok sha512 shadow > password optional pam_smbpass.so try_first_pass nollok > password optional pam_permit.so > session required pam_limits.so > session required pam_unix.so > session optional pam_permit.so &...

...rror on the server is: debug3: PAM: opening session PAM: pam_open_session(): Can not make/remove entry for session I have determined the problem is that pam_unix.so.1 does not like the value of PAM_TTY. I see this in the source code: #ifdef PAM_TTY_KLUDGE /* * Some silly PAM modules (e.g. pam_time) require a TTY to operate. * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh&quo...

Thank for your answer: But i dont know understand why is following not working: I want to restrict the ssh access for a special domain member: In my "sshd_config" i added: AllowGroups restrictaccess root With user2 im able to login via ssh! log: pam_krb5(sshd:auth): user user2 authenticated as user2 at ROOTRUDI.DE With user1 im not! log: User user1 from 192.168.0.100 not allowed

...Winbind support added. New lines or amendments to existing lines are highlighted in bold. Listing Two: A typical PAM configuration file with Winbind support auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so B auth required pam_unix.so nullok B account requisite pam_time.so B account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv password required pam_unix.so nullok min=6 max=255 md5 This configuration adds lines to the auth and account stacks, inserting a...

...ments to existing lines are > highlighted in bold. > Listing Two: A typical PAM configuration file with Winbind support > auth requisite pam_securetty.so > auth requisite pam_nologin.so > auth required pam_env.so > B > auth required pam_unix.so nullok B > account requisite pam_time.so > B > account required pam_unix.so > session required pam_unix.so > session optional pam_lastlog.so > session optional pam_motd.so > session optional pam_mail.so standard noenv > password required pam_unix.so nullok min=6 max=255 md5 > > This configuration adds lines...

...highlighted in bold. > > Listing Two: A typical PAM configuration file with Winbind support > > auth requisite pam_securetty.so > > auth requisite pam_nologin.so > > auth required pam_env.so > > B > > auth required pam_unix.so nullok B > > account requisite pam_time.so > > B > > account required pam_unix.so > > session required pam_unix.so > > session optional pam_lastlog.so > > session optional pam_motd.so > > session optional pam_mail.so standard noenv > > password required pam_unix.so nullok min=6 max=255 md5 >...