PAM Config
- First make sure that the line "account required pam_access.so" is in the /etc/pam.d/sshd file (should always be the case on our systems).
- This pam module looks in /etc/security/access.conf to find out which users to allow or deny.
- To lock out all users except root, DASG, and operations, the only uncommented line in that file should be:
-:ALL EXCEPT root jam clyne pjg kena raisa jirina scottb davidf hartter lewisj beckyb:ALL
which translates to "deny all except root, jam, clyne, pjg, etc."
- To restore access to all users, comment out that line.
/fs/local/config/pushall.pl
- This script takes 2 arguments, a local filename and destination path, and pushes the file to the path on all production systems. (storms, blades, wizard, nomad)
- To easily disable user accounts, run (from blizzard):
cd /fs/local/config sudo ./pushall.pl access.conf.nousers /etc/security/access.conf
- To re-enable accounts, run (from blizzard):
cd /fs/local/config sudo ./pushall.pl access.conf /etc/security
Output
You will see this if the file being pushed is the same as the remote files:
rsync@storm0: rsync@storm1: rsync@storm2: rsync@storm3: rsync@storm4: rsync@storm5: rsync@wizard: rsync@gale: rsync@snow: rsync@breeze: rsync@hail: rsync@gust: rsync@nomad:
Otherwise you will see a "send" message for each host that received the updated file:
Ex.
rsync@storm0: send access.conf rsync@storm1: send access.conf rsync@storm2: send access.conf rsync@storm3: send access.conf rsync@storm4: send access.conf rsync@storm5: send access.conf rsync@wizard: send access.conf rsync@gale: send access.conf rsync@snow: send access.conf rsync@breeze: send access.conf rsync@hail: send access.conf rsync@gust: send access.conf rsync@nomad: send access.conf