[torqueusers] Re: hostbased ssh mini-howto

Daniel Widyono widyono at seas.upenn.edu
Thu Nov 3 13:43:15 MST 2005


Greetings,

I forgot one thing (** very important for not locking out root **):

On Server side:

/etc/security/access.conf
	-:ALL EXCEPT root:ALL

This is involved in the pam_access.so line below, which prevents root from
getting locked out even when root isn't listed in /etc/pbs_sshauth.

Regards,
Dan W.

> 	/etc/pam.d/sshd  (modified to use pam_listfile.so for access control)
> 		#%PAM-1.0
> 		# obviously on compute nodes only
> 		auth       required     pam_stack.so service=system-auth
> 		auth       required     pam_nologin.so
> 		account    required     pam_stack.so service=system-auth
> 		account    sufficient   pam_access.so
> 		account    required     pam_listfile.so file=/etc/pbs_sshauth onerr=fail sense=allow item=user
> 		password   required     pam_stack.so service=system-auth
> 		session    required     pam_stack.so service=system-auth


More information about the torqueusers mailing list