Finlay Dobbie wrote:
>
> On 21 Feb 2005, at 20:42, Damien Miller wrote:
>> If you are using LDAP, then set posixAccount/loginShell appropriately.

>
> I know how to set a user's shell using the NIS schema. I don't see how
> that helps me, since I need to have different restricted commands for
> different hosts. If I could restrict commands by group then that'd be
> dandy.


You could have the same shell name map to different restrictions on each
host. Trivially, by symlinking the shell to the binary you want to tun
(e.g. /usr/bin/cvs) or, if you wanted to be fancy, you could make that
restricted shell look up the actual commands it is supposed to execute
in LDAP too. That way they user would get a consistent response
regardless of the method by which they logged in.

-d

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev