NIS questions (hypothetical)
Jerry Feldman
gaf-mNDKBlG2WHs at public.gmane.org
Wed Jan 21 19:58:26 EST 2009
On 01/21/2009 04:54 PM, Jerry Feldman wrote:
> let's say I have 3 groups of users, groupa, groupb, and groupc. I want =
> to allow groupa to be able to log in to some of the systems. I want=20
> groupb to be able to log into other systems, and groupc should be able =
> to log into all of the systems.
>
> I want to use NIS to control this. I could have 2 NIS domains, 1 for=20
> the groupa systems, another for groupb systems. By intelligently=20
> setting up user ids, I could copy the password and shadow entries for=20
> the groupc people to the groupa and groupb password files. Since NIS=20
> domains each must have their own master, but they can also be slaves=20
> for another domain. The standard Unix/Linux way to control access to=20
> directories would be through group memberships, and NFS could export=20
> home directories to the appropriate machines only. So, the only issue=20
> here is the multiple NIS domains, and the coordination when you have=20
> users who are allowed to log in to the other systems.
>
> In a more real-world situation, we may have departmental systems, such =
> a a groups of systems that only developers can log into, and a finance =
> system where only member of the finance department can log into. But,=20
> some privileged members of the IT department can log into all the=20
> systems.
>
> One way to control access to some systems is by using the AllowUsers=20
> line in the /etc/ssh/sshd_config. But, that does not cover the case of =
> someone logging in through the console (possibly via a kvm or terminal =
> concentrator). It also requires another file to be maintained.
>
Talked about it at the meeting. Possible solution is a PAM module that=20
restricts logins based on group membership. Another possibility is to=20
use Open LDAP, but the original question I was asked was specifically=20
about NIS.
--=20
Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
Boston Linux and Unix
PGP key id: 537C5846
PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846
More information about the Discuss
mailing list