How to disable local login and enable remote login for users in Red Hat Enterprise Linux ?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • How to disable local login for users, but remote (ssh) login should be working ?

Resolution

1. Add following entry in /etc/security/access.conf file in order to restrict console based access to user/groups using pam_access.so module:

To restrict access to all users except root user, add/modify as below:

# vim /etc/security/access.conf

-:ALL EXCEPT root:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL

Access can be restricted for particular user:

# vim /etc/security/access.conf

-:user:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL

Access can be restricted for group containing multiple users:

# vim /etc/security/access.conf

-:group:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL

2. Configure PAM stack to use pam_access.so module for restricting access based upon the restrictions defined in /etc/security/access.conf file.

# vim /etc/pam.d/system-auth

account     required      pam_access.so     <---- Add this line in account section
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

3. Configure sshd service to use PAM by adding/modifying parameter UsePAM in /etc/ssh/sshd_config file:

# vim /etc/ssh/sshd_config 

UsePAM  yes

NOTE: In case Red Hat Enterprise Linux 6, add following line in account section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth files:

account     required      pam_access.so
  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments