NIS questions (hypothetical)

[Jerry Feldman]

let's say I have 3 groups of users, groupa, groupb, and groupc. I want=20
to allow groupa to be able to log in to some of the systems. I want=20
groupb to be able to log into other systems, and groupc should be able=20
to log into all of the systems.

I want to use NIS to control this.  I could have 2 NIS domains, 1 for=20
the groupa systems, another for groupb systems. By intelligently setting =

up user ids, I could copy the password and shadow entries for the groupc =

people to the groupa and groupb password files. Since NIS domains each=20
must have their own master, but they can also be slaves for another=20
domain. The standard Unix/Linux way to control access to directories=20
would be through group memberships, and NFS could export home=20
directories to the appropriate machines only. So, the only issue here is =

the multiple NIS domains, and the coordination when you have users who=20
are allowed to log in to the other systems.

In a more real-world situation, we may have departmental systems, such a =

a groups of systems that only developers can log into, and a finance=20
system where only member of the finance department can log into. But,=20
some privileged members of the IT department can log into all the systems=
=2E

One way to control access to some systems is by using the AllowUsers=20
line in the /etc/ssh/sshd_config. But, that does not cover the case of=20
someone logging in through the console (possibly via a kvm or terminal=20
concentrator). It also requires another file to be maintained.


--=20
Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
Boston Linux and Unix
PGP key id: 537C5846
PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB  CA3B 4607 4319 537C 5846