Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.3

How to Restrict Who Can Log In to the Console

In this task, you limit access to the console to particular users. The /etc/pam.d/login configuration file controls console login.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. Modify the /etc/pam.d/login file.
   1. Save a copy of the login file, then open the original file.

      # cd /etc/pam.d
      # cp login login.orig
      # pfedit login

   2. Add the following entries:

      ## Account management for login(1) incorporates pam_list(5)
      ## Restricts who can log in on the console to the users and netgroups 
      ## that are listed in the /etc/users.allow file
      account requisite pam_roles.so.1
      account definitive pam_user_policy.so.1
      account required pam_unix_account.so.1
      account required pam_list.so.1 allow=/etc/users.allow
      account required pam_tsol_account.so.1

2. Create and protect the /etc/users.allow file.

   # cd /etc
   # touch users.allow ; chmod 644 users.allow

3. Add users to the /etc/users.allow file.
   • For example, add the jdoe account.

     ## permitted console logins
     jdoe

   • For example, add netgroups.

     Netgroups are groups that are centrally defined in LDAP or NIS and have user members. Members of a listed netgroup will be able to log in to this particular system on the console.

     ## permitted console logins
     jdoe
     @alladmins

     For more information, see the netgroup(4) and pam_list(5) man pages.