Google Groups Home
Help | Sign in
alt.solaris.x86
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
block user remote login access by user-netgroup/groups basis
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Nikhil  
View profile
  More options May 8, 2:56 pm
Newsgroups: comp.unix.solaris, alt.solaris.x86
From: Nikhil <mnik...@gmail.com>
Date: Fri, 09 May 2008 00:26:04 +0530
Local: Thurs, May 8 2008 2:56 pm
Subject: block user remote login access by user-netgroup/groups basis
Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
I use rsh/ssh for login access to the host. I figured out that by having
user netgroups, and the proper entries in host.equiv files, system  can
be configured to have limited access based on the user netgroup.

The requirement in short is If the user is part of the appropriate user
netgroup, then *only* the login is allowed onto the host otherwise
simply it is denied.

Earlier on Linux with PAM on Linux, I managed to get this simplified
with not the netgroups but the Unix groups itself in /etc/pam.d/<files>
and /etc/security/access.conf.

I am little unaware of using the Solaris /etc/pam.conf file (little
worried if I break anything else here).
Any suggestions/advice on making the pam.conf allow only the particular
   group members are allowed to login to the host and the rest are denied.
It should work both for rsh and ssh.
(Even if the suggestion includes to go for the user netgroup, that is
also please welcome).

Thanks in advance,
Nikhil


    Reply    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Gary Mills  
View profile
  More options May 8, 5:23 pm
Newsgroups: comp.unix.solaris, alt.solaris.x86
From: Gary Mills <mi...@cc.umanitoba.ca>
Date: Thu, 8 May 2008 21:23:20 +0000 (UTC)
Local: Thurs, May 8 2008 5:23 pm
Subject: Re: block user remote login access by user-netgroup/groups basis
Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
In <fvvic6$rq...@registered.motzarella.org> Nikhil <mnik...@gmail.com> writes:

>The requirement in short is If the user is part of the appropriate user
>netgroup, then *only* the login is allowed onto the host otherwise
>simply it is denied.
>I am little unaware of using the Solaris /etc/pam.conf file (little
>worried if I break anything else here).
>Any suggestions/advice on making the pam.conf allow only the particular
>   group members are allowed to login to the host and the rest are denied.

PAM is certainly the way to accomplish this.  We use it that way, but
not with groups or netgroups.  It's something that I call service
classes, but the result is the same.  The account module type in
pam.conf is the best place to control access.  I'm not aware of any
native PAM modules that will accomplish this.  We use locally-written
PAM modules.  That portion of pam.conf looks like this, with the last
three modules being locally-written:

  #
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  #
  other   account requisite       pam_roles.so.1
  other   account required        pam_unix_account.so.1
  other   account requisite       pam_class_auth.so.1 allow=uadmin,celano
  other   account requisite       pam_status_auth.so.1 allow=active
  other   account required        pam_event_rec.so.1

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-


    Reply    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Nikhil  
View profile
  More options May 9, 3:18 am
Newsgroups: comp.unix.solaris, alt.solaris.x86
From: Nikhil <mnik...@gmail.com>
Date: Fri, 09 May 2008 12:48:50 +0530
Local: Fri, May 9 2008 3:18 am
Subject: Re: block user remote login access by user-netgroup/groups basis
Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

Thanks. I had a look at
http://opensolaris.org/os/community/security/files/pam_netgroup.c;

and after making few possible to changes to the c code,  I was able to
it atleast for meeting the need, but not really cool.

/etc/users.allow will have the list of the users, (or the user
netgroups) and if the login user is matched from it then the user is
allowed. Its better than nothing, for me at present.

Thanks for the help again,
Nikhil


    Reply    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google