 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On 01/21/2009 04:54 PM, Jerry Feldman wrote: > let's say I have 3 groups of users, groupa, groupb, and groupc. I want = > to allow groupa to be able to log in to some of the systems. I want=20 > groupb to be able to log into other systems, and groupc should be able = > to log into all of the systems. > > I want to use NIS to control this. I could have 2 NIS domains, 1 for=20 > the groupa systems, another for groupb systems. By intelligently=20 > setting up user ids, I could copy the password and shadow entries for=20 > the groupc people to the groupa and groupb password files. Since NIS=20 > domains each must have their own master, but they can also be slaves=20 > for another domain. The standard Unix/Linux way to control access to=20 > directories would be through group memberships, and NFS could export=20 > home directories to the appropriate machines only. So, the only issue=20 > here is the multiple NIS domains, and the coordination when you have=20 > users who are allowed to log in to the other systems. > > In a more real-world situation, we may have departmental systems, such = > a a groups of systems that only developers can log into, and a finance = > system where only member of the finance department can log into. But,=20 > some privileged members of the IT department can log into all the=20 > systems. > > One way to control access to some systems is by using the AllowUsers=20 > line in the /etc/ssh/sshd_config. But, that does not cover the case of = > someone logging in through the console (possibly via a kvm or terminal = > concentrator). It also requires another file to be maintained. > Talked about it at the meeting. Possible solution is a PAM module that=20 restricts logins based on group membership. Another possibility is to=20 use Open LDAP, but the original question I was asked was specifically=20 about NIS. --=20 Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org> Boston Linux and Unix PGP key id: 537C5846 PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
