SUMMARY: restricting login under NIS+

From: Stuart Kendrick (sbk@fhcrc.org)
Date: Tue Nov 26 1996 - 13:39:07 CST


Original post:

>Is there a way to restrict access by UID to a subset of machines in a
>NIS+domain?

>If machines a,b,c,d,e and f all belong to the same NIS+ domain ... can I
>allow user susan to log into machines a, b and c but not into machines d,
>e and f? Or do I have to start creating subdomains?

The answer is "yes", by using netgroups. To enable support of netgroups
under NIS+, use the following syntax:

/etc/passwd
...
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
+@allowed-grp::0:0:::
+::::::/usr/local/sbin/nologin

/etc/nsswitch.conf
...
passwd: compat
passwd_compat: files nisplus
group: files nisplus

In this way, one can enable NIS capabilities within NIS+; note that it is
*not* necesasry to run NIS+ in YP emulation mode. See man netgroup(4) for
more details.

Thanks in particular to Mark Bergman for his precise response.

--sk

Stuart Kendrick
Network Services
FHCRC

There are a couple of ways of doing this.

1) Install Wietse Venema's tcp_wrappers and logdaemon from
ftp.win.tue.nl and modify rshd and rexecd to respect /etc/login.access
(this is the method we use). This gives you fine grained control over
who can log in, on what terminals and where from.

2) Modify /etc/nsswitch.conf to use the password compatibility targets
(see man page for nsswitch.conf), then you can use the + syntax to
include or exclude netgroups. You don't need to run NIS/YP
compatibility - just turn on the +/- syntax in /etc/passwd.

passwd: compat
passwd_compat: nisplus

 There were problems with Solaris 2.4 and some NIS+ patchlevels which
prevented this from working.

3) Create a NIS+ subdomain. Remember the NIS+ server for the subdomain
will be a client of the parent domain, so will not have restricted
access itself. If you've got a number of machines with the same
restrictions this may be the best route, but you'll need to be clear
about NIS+ links and search paths.
|Kevin.Davidson@edinburgh.ac.uk +-+ Centre for Cognitive Science/HCRC

You can do it by putting susan into a netgroup, and allowing logins
into e and f by netgroup (using the YP compatibilty syntax, but NOT
running NIS+ in compatibility mode)

Here's the /etc/passwd and /etc/nsswitch.conf for a working example:

-----------------------------------------------------------------
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
+@allowed-grp::0:0:::
+::::::/usr/local/sbin/nologin
-----------------------------------------------------------------
In this case, /usr/local/sbin/nologin is a script that explains that
logins aren't allowed and exits.

-----------------------------------------------------------------
passwd: compat
passwd_compat: files nisplus

group: files nisplus
-----------------------------------------------------------------
Mark Bergman <bergman@phri.nyu.edu>



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:16 CDT