How to disable local login and enable remote login for users in Red Hat Enterprise Linux ?
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
Issue
- How to disable local login for users, but remote (ssh) login should be working ?
Resolution
1. Add following entry in /etc/security/access.conf
file in order to restrict console based access to user/groups using pam_access.so
module:
To restrict access to all users except root user, add/modify as below:
# vim /etc/security/access.conf
-:ALL EXCEPT root:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
Access can be restricted for particular user:
# vim /etc/security/access.conf
-:user:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
Access can be restricted for group containing multiple users:
# vim /etc/security/access.conf
-:group:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
2. Configure PAM stack to use pam_access.so
module for restricting access based upon the restrictions defined in /etc/security/access.conf
file.
# vim /etc/pam.d/system-auth
account required pam_access.so <---- Add this line in account section
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
3. Configure sshd
service to use PAM by adding/modifying parameter UsePAM in /etc/ssh/sshd_config
file:
# vim /etc/ssh/sshd_config
UsePAM yes
NOTE: In case Red Hat Enterprise Linux 6, add following line in account section of both /etc/pam.d/system-auth
and /etc/pam.d/password-auth
files:
account required pam_access.so
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments