Darren J Moffat wrote:
[ I've cc'd and set reply-to for [EMAIL PROTECTED] ]
On Tue, 2005-10-11 at 07:38, mnikhil m wrote:
(snip...)
Ok..I have a requirement like this..
I have an NIS domain comprising of 10 boxes , lets say..
and I have one prod box and I want to allow only people who are belong
to two groups (of NIS) particularly on that box..
so who ever tries to rlogin/rsh/ssh to that box remotely, should be
denied the login unless they are from the mentioned groups..
That sounds like what you want is a role, see rbac(5). Or you
could implement a simple PAM module that checks for group member
ship. I have one I'll see if we can start posting the source for these
type of things in the security community pages.
Actually, to me that sounds far more like a NIS Netgroup. Take a look
at the following:
http://docs.sun.com/app/docs/doc/816-4556/6maort2qp?a=view#anis2-14244
Roles would be orthogonal, right? You may want those users to need to
assume a role when they connect to the system, but assuming that box is
a NIS client you want to restrict which people can log into that box as
themselves. Right?
It should just be a matter of configuration if you're looking to do what
I think you are.
It's a bit more complex if you're using LDAP as your naming service (for
now), but still pretty practical.
Hope that helps,
- Matt
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org