[oclug] restrict login

Peter Sjoberg peters-oclug at techwiz.ca
Fri Oct 1 22:51:03 EDT 2010 

On Fri, 2010-10-01 at 18:54 -0400, Dumitru Ciobanu wrote:
> Hi guys,
> 
> I was wondering if anybody knows of a way of restricting logins for
> users that don't have a home directory setup.

The solution depends a little on what you trying to accomplish.

************
If this been opensuse (and SLES I guess) the short answer is to
edit /etc/login.defs and change "DEFAULT_HOME" to "no" but it seems like
RHEL5.5 doesn't have that.

************
suse also comes with pam_homecheck, maybe it can be used in redhat.

************
Next option is a little ugly, edit /etc/profile and add something like
 if [ ! -w "$HOME" ]; then 
   echo "Home directory not accessible, ABORT";
   exit 1;
 fi
Note - this will not stop non interactive things like 
  ssh user at server ls /home

************
If you actually want to have a home directory created you can use
pam_mkhomedir to automatically do it first time a user login.

************
If you want to deny some ldap users access one common way is to use
netgroups. You create some groups in ldap and then setup who can login
where with help of pam_access. 
We did setup two type of groups, one for all nodes and one for all
users. In access.conf we then added lines like
+:root localgroup ops sysstat :ALL
+:@webapp_prod_users@@webapp_prod_hosts : ALL
+:@webapp_dev_users@@webapp_dev_hosts : ALL
+:@webapp_cert_users@@webapp_cert_hosts : ALL
+:@webapp_stage_users@@webapp_stage_hosts : ALL
+:@sysadmin_prod_users@@webapp_prod_hosts : ALL
-:ALL:ALL

So if the server is cert and development webapp it is listed in the two
ldap groups named webapp_dev_hosts & webapp_cert_hosts
A user listed in webapp_dev_users can then login to that server.

************
Maybe the home directory is on another server, then you can setup
automount to automagically mount /home/<user> when they login


> This is happening in an ldap environment (the linux boxes are ldap
> clients for Active Directory). We are running RHEL 5.5 and RedHat
> support has no clue if it's possible.
There is always a way (like rewrite the login program), the question is
just if it's a good way.

> Right know if the user does not have a home directory (or just bad
> permissions) it gets logged in and lands in /.

> In HP-UX for example one can tweak that through /etc/default/security.
> I'm looking for something similar in Linux or maybe some fancy pam module.
> 
> Thanks in advance,
> 
> Dumitru
> 
> -- 
> =====================
> 
> Dumitru Ciobanu
> ciobanu.dumitru at gmail.com

More information about the OCLUG mailing list