Hi Managers Thanks to everyone for the response, especially Casper and Adam. Casper wrote: "You need to check /etc/pam.conf. For login, e.g., you must have: login account requisite /usr/lib/security/$ISA/pam_roles.so.1 as one of the lines. This is true for all account management definitions. And if you're using "SSH" you must make sure you have one which uses PAM correctly. Casper" You were right on the money Casper, the problem was OpenSSh and PAM. I installed the latest version of OpenSSH (openssh-4.0p1) and added: login account requisite /usr/lib/security/$ISA/pam_roles.so.1 to my /etc/pam.conf file and bingo jingo it worked. I then set UsePAM to yes in sshd_config. And it just worked first time. Once again thanks to you all for your fast replies. Regards Chris Wrigglesworth Unix Technical Specialist, Unix Technical Support (UK), Network Infrastructure Solutions, Atos Origin Chris.Wrigglesworth@atosorigin.com -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org]On Behalf Of WRIGGLESWORTH, Christopher Sent: Friday 08 April 2005 10:05 To: 'sunmanagers@sunmanagers.org' Subject: RBAC Role allows direct login. Will Summarize Hi Managers I have a Solaris 8 server that is behaving quite odd. I have set up an RBAC role to allow an operator to perform some admin tasks. As I understand it, an RBAC role should only allow a user to su to it, it should not allow anyone to login to the server directly as the RBAC role. However in testing I can always login to the server directly as the role. I have tried stopping and starting nscd but this has no effect. I have also searched sunsolve for any patches but I've found nothing (that doesn't mean there are no patches, just that I haven't found them :). Does anyone have any suggestions? Below are a few detail with the usual security adjustments, if any one would like more info let me know System details: SunOS HOSTNAME 5.8 Generic_117350-02 sun4u sparc SUNW,Sun-Fire-280R /etc/user_attr username::::type=normal;roles=rolename rolename::::type=role;profiles=profile name Thanks for your help. Chris Wrigglesworth Unix Technical Specialist, Unix Technical Support (UK), Network Infrastructure Solutions, Atos Origin * Chris.Wrigglesworth@atosorigin.com _______________________________________________________ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. _______________________________________________________ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Apr 8 07:01:11 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:45 EST