I want to restrict access to a set of machines to all users to local access only. Effectively, I only want to allow login and kdm access, unless the user is a meember of group 'remote', in which case s/he should also be able to use ssh, cron, and other PAM-using software. I think this has to be done with pam_access, but I am not arriving. Using something like +|ALL|LOCAL -|ALL EXCEPT remote|ALL (with fieldsep=|) does not work because LOCAL uses reverse DNS lookups, which can be trivially spoofed. Thus I tried +|ALL|tty1 tty2 tty3 tty4 tty5 tty6 :0 -|ALL EXCEPT remote|ALL which works for login, but kdm logins are still not allowed. The log does not help though: pam_access[21656]: access denied for user `kvai2004-50' from `:0' So the origin seems to be `:0', but that is not being correctly interpreted by PAM. Am I doing something wrong? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature