/etc/pam.d/sshd vs /etc/login.conf

[jeffshearer]

I am learning how to change the authentication configuration for SCP users. Specifically, I am learning the interaction between /etc/pam.d/sshd and /etc/login.conf. I am using FreeBSD 7.3. I am looking at PAM hoping that I can implement authentication configurations using the local user database that cannot be overridden by users. Another way of saying that is that I would like to find a way to prevent the use of ~/.profile, ~/.login, ~/.login_conf that override server-wide configurations.

Please advise. Thanks.

 

[SirDice]

What exactly are you trying to prevent from being overridden by a user?

 

[jeffshearer]

It seems that your question infers that I have a list of known configuration items that I want to control globally. Unfortunately, I have not found a complete list of configuration items and suspect that there may be undocumented features that, without a source code review, I cannot know. I do know that there are commands that I want to include that are not considered configuration items. For example, I will issue the command [cmd=]mesg –n[/cmd] do to related security implications if users enable mesg.

To make a long story short, I am trying to take control away from users to the greatest extent practical. I have learned from the manual page for login_cap that the login_getclassbyname() function can be used to disable the ability of users to override global configurations. Here are the statements from the manual page:

First of all, its arguments are used by the function to choose between system and user modes of operation. When in system mode, only the system login class database is used. When in user mode, the supplemental login class database in the user's home directory is allowed to override settings from the system database in a limited way as noted below. To minimize security implications, user mode is entered by login_getclassbyname() if and only if name is LOGIN_MECLASS (`me') and pwd is not NULL. Otherwise system mode is chosen.

However, I find no way of setting this in a manner that prevents users from creating their .login_conf file and using the class name “me.” It seems I can only implement a less effective and more resource costly detective and corrective control that seeks out and destroys .login_conf files in users’ directories.

Do you know of a way to prevent users from overriding /etc/login.conf?

 

[jeffshearer]

As I have been thinking about my desire to prevent users from overriding the global configuration, I am considering using the sticky bit to make user files like .login_conf and .cshrc immutable.

 

[jeffshearer]

Thanks for the polite reminder about formatting.