Finlay Dobbie wrote:
> On 21 Feb 2005, at 20:42, Damien Miller wrote:
>> If you are using LDAP, then set posixAccount/loginShell appropriately.

> I know how to set a user's shell using the NIS schema. I don't see how
> that helps me, since I need to have different restricted commands for
> different hosts. If I could restrict commands by group then that'd be
> dandy.

You could have the same shell name map to different restrictions on each
host. Trivially, by symlinking the shell to the binary you want to tun
(e.g. /usr/bin/cvs) or, if you wanted to be fancy, you could make that
restricted shell look up the actual commands it is supposed to execute
in LDAP too. That way they user would get a consistent response
regardless of the method by which they logged in.


openssh-unix-dev mailing list