Highlighted
Absent Member.
Absent Member.
664 views

Why LUM users ignore /etc/nologin

Hi,

I am testing latest OES and I am unable to disable ssh login for LUM (nam) users. File /etc/nologin disallow login to all users from /etc/passwd, but users from edirectory are still able to login.

How to correctly configure NAM service or PAM modules for disallow login for ALL users?

Many thanks, o.t.
Labels (2)
0 Likes
2 Replies
Highlighted
Absent Member.
Absent Member.

Re: Why LUM users ignore /etc/nologin

I am not familiar with the rules or logic of /etc/nologin, nor of how pam uses it. It looking at the /etc/pam.d/sshd on a lum-enabled sshd setup, I'm guessing that the pam_nam lines which are "sufficient" are causing those auths to be successful and not depend on success of the later pam_nologin lines. But how to custom-build pam.d to put pam_nologin in force for lum users as well is a bit beyond my experience.

But as an alternative to all that: If you are trying to disallow ssh login for ALL users (even root), you could find/set both of these in /etc/ssh/sshd_config:

Subsystem sftp internal-sftp
ForceCommand internal-sftp

then "rcsshd restart"

This will cause the sshd server to become sftp only. But if you want to still allow root, you might have to get more sophisticated by putting the "ForceCommand ..." part of that in a "Match" block to only apply to certain groups. Something like:

Match group lumusers
ForceCommand internal-sftp

(and of course all your lum users would need to be members of "lumusers")

There's probably other ways, and I suspect the best way is to indeed get expert advise on building the /etc/pam.d/sshd correctly. Sorry I don't have that knowledge.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Why LUM users ignore /etc/nologin

What I don't understand is why you LUM enable users if you don't want them to login.

Uwe
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.