PAM Config

  • First make sure that the line "account required pam_access.so" is in the /etc/pam.d/sshd file (should always be the case on our systems).
  • This pam module looks in /etc/security/access.conf to find out which users to allow or deny.
  • To lock out all users except root, DASG, and operations, the only uncommented line in that file should be:
 -:ALL EXCEPT root jam clyne pjg kena raisa jirina scottb davidf hartter lewisj beckyb:ALL

which translates to "deny all except root, jam, clyne, pjg, etc."

  • To restore access to all users, comment out that line.

/fs/local/config/pushall.pl

  • This script takes 2 arguments, a local filename and destination path, and pushes the file to the path on all production systems. (storms, blades, wizard, nomad)
  • To easily disable user accounts, run (from blizzard):
     cd /fs/local/config
    sudo ./pushall.pl access.conf.nousers /etc/security/access.conf
  • To re-enable accounts, run (from blizzard):
    cd /fs/local/config
    sudo ./pushall.pl access.conf /etc/security

Output

You will see this if the file being pushed is the same as the remote files:

rsync@storm0:
rsync@storm1:
rsync@storm2:
rsync@storm3:
rsync@storm4:
rsync@storm5:
rsync@wizard:
rsync@gale:
rsync@snow:
rsync@breeze:
rsync@hail:
rsync@gust:
rsync@nomad:

Otherwise you will see a "send" message for each host that received the updated file:
Ex.

rsync@storm0:
send access.conf
rsync@storm1:
send access.conf
rsync@storm2:
send access.conf
rsync@storm3:
send access.conf
rsync@storm4:
send access.conf
rsync@storm5:
send access.conf
rsync@wizard:
send access.conf
rsync@gale:
send access.conf
rsync@snow:
send access.conf
rsync@breeze:
send access.conf
rsync@hail:
send access.conf
rsync@gust:
send access.conf
rsync@nomad:
send access.conf
  • No labels