NIS questions (hypothetical)

Jerry Feldman gaf-mNDKBlG2WHs at public.gmane.org
Wed Jan 21 19:58:26 EST 2009 

On 01/21/2009 04:54 PM, Jerry Feldman wrote:
> let's say I have 3 groups of users, groupa, groupb, and groupc. I want =

> to allow groupa to be able to log in to some of the systems. I want=20
> groupb to be able to log into other systems, and groupc should be able =

> to log into all of the systems.
>
> I want to use NIS to control this.  I could have 2 NIS domains, 1 for=20
> the groupa systems, another for groupb systems. By intelligently=20
> setting up user ids, I could copy the password and shadow entries for=20
> the groupc people to the groupa and groupb password files. Since NIS=20
> domains each must have their own master, but they can also be slaves=20
> for another domain. The standard Unix/Linux way to control access to=20
> directories would be through group memberships, and NFS could export=20
> home directories to the appropriate machines only. So, the only issue=20
> here is the multiple NIS domains, and the coordination when you have=20
> users who are allowed to log in to the other systems.
>
> In a more real-world situation, we may have departmental systems, such =

> a a groups of systems that only developers can log into, and a finance =

> system where only member of the finance department can log into. But,=20
> some privileged members of the IT department can log into all the=20
> systems.
>
> One way to control access to some systems is by using the AllowUsers=20
> line in the /etc/ssh/sshd_config. But, that does not cover the case of =

> someone logging in through the console (possibly via a kvm or terminal =

> concentrator). It also requires another file to be maintained.
>
Talked about it at the meeting. Possible solution is a PAM module that=20
restricts logins based on group membership. Another possibility is to=20
use Open LDAP, but the original question I was asked was specifically=20
about NIS.

--=20
Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
Boston Linux and Unix
PGP key id: 537C5846
PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB  CA3B 4607 4319 537C 5846

More information about the Discuss mailing list