block user remote login access by user-netgroup/groups basis - alt.solaris.x86

Message from discussion block user remote login access by user-netgroup/groups basis

Gary Mills

View profile

More options May 8, 5:23 pm

Newsgroups: comp.unix.solaris, alt.solaris.x86

From: Gary Mills <mi...@cc.umanitoba.ca>

Date: Thu, 8 May 2008 21:23:20 +0000 (UTC)

Local: Thurs, May 8 2008 5:23 pm

Subject: Re: block user remote login access by user-netgroup/groups basis

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

In <fvvic6$rq...@registered.motzarella.org> Nikhil <mnik...@gmail.com> writes:

>The requirement in short is If the user is part of the appropriate user
>netgroup, then *only* the login is allowed onto the host otherwise
>simply it is denied.
>I am little unaware of using the Solaris /etc/pam.conf file (little
>worried if I break anything else here).
>Any suggestions/advice on making the pam.conf allow only the particular
> group members are allowed to login to the host and the rest are denied.

PAM is certainly the way to accomplish this. We use it that way, but
not with groups or netgroups. It's something that I call service
classes, but the result is the same. The account module type in
pam.conf is the best place to control access. I'm not aware of any
native PAM modules that will accomplish this. We use locally-written
PAM modules. That portion of pam.conf looks like this, with the last
three modules being locally-written:

#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account requisite pam_class_auth.so.1 allow=uadmin,celano
other account requisite pam_status_auth.so.1 allow=active
other account required pam_event_rec.so.1

--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

Reply to author Forward