How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- From: RV <news@xxxxxxxxxxxxxx>
- Date: Wed, 19 Apr 2006 16:22:10 GMT
In IBM's AIX there is an security option to restrict network login (RLOGIN=FALSE security stanza in /etc/security/user). This work great on restricting an account from using telnet, rsh, rlogin and SSH.
Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, BUT keep SSH enabled. I can't figure out how. In Aix v4.3.3, 5.1 and 5.2 we did this by writing a custom LAM module to restrict access to an account to the console and bypass having to set RLOGIN=FALSE, it really only worked on telnet, but that was enough... However in Aix v5.3 full pam support was added, and our LAM module broke and we have been unable to figure out how to get it working again.
I have tried setting rlogin=false and set the account to use PAM (and compiled SSH with PAM support). Still can't get it to work, seems that SSH queries AIX loginrestrictions BEFORE it tries PAM, so the account is
"locked" before it even tries PAM..
Anyone know how to get SSH to ignore or override the AIX Loginrestrictions() (RLOGIN=FALSE) on AIX v5.3? Or another way to accomplish this?
Thanks
RV
BTW. Running AIX v5.3 and OpenSSH v4.2p1
.
- Follow-Ups:
- Prev by Date: Re: SSH'ing between machines with private IPs
- Next by Date: SOLVED -- Re: X11 display forwarding
- Previous by thread: Re: SSH'ing between machines with private IPs
- Next by thread: Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Index(es):
Relevant Pages
|
