block user remote login access by user-netgroup/groups basis

Printable View

05-08-2008, 06:56 PM
unix

block user remote login access by user-netgroup/groups basis

I use rsh/ssh for login access to the host. I figured out that by having
user netgroups, and the proper entries in host.equiv files, system can
be configured to have limited access based on the user netgroup.

The requirement in short is If the user is part of the appropriate user
netgroup, then *only* the login is allowed onto the host otherwise
simply it is denied.

Earlier on Linux with PAM on Linux, I managed to get this simplified
with not the netgroups but the Unix groups itself in /etc/pam.d/<files>
and /etc/security/access.conf.

I am little unaware of using the Solaris /etc/pam.conf file (little
worried if I break anything else here).
Any suggestions/advice on making the pam.conf allow only the particular
group members are allowed to login to the host and the rest are denied.
It should work both for rsh and ssh.
(Even if the suggestion includes to go for the user netgroup, that is
also please welcome).

Thanks in advance,
Nikhil
05-08-2008, 09:23 PM
unix

Re: block user remote login access by user-netgroup/groups basis

In <fvvic6$rq8$1@registered.motzarella.org> Nikhil <mnikhil@gmail.com> writes:
[color=blue]
>The requirement in short is If the user is part of the appropriate user
>netgroup, then *only* the login is allowed onto the host otherwise
>simply it is denied.[/color]
[color=blue]
>I am little unaware of using the Solaris /etc/pam.conf file (little
>worried if I break anything else here).
>Any suggestions/advice on making the pam.conf allow only the particular
> group members are allowed to login to the host and the rest are denied.[/color]

PAM is certainly the way to accomplish this. We use it that way, but
not with groups or netgroups. It's something that I call service
classes, but the result is the same. The account module type in
pam.conf is the best place to control access. I'm not aware of any
native PAM modules that will accomplish this. We use locally-written
PAM modules. That portion of pam.conf looks like this, with the last
three modules being locally-written:

#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account requisite pam_class_auth.so.1 allow=uadmin,celano
other account requisite pam_status_auth.so.1 allow=active
other account required pam_event_rec.so.1

--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
05-09-2008, 07:18 AM
unix

Re: block user remote login access by user-netgroup/groups basis

Gary Mills wrote:[color=blue]
> In <fvvic6$rq8$1@registered.motzarella.org> Nikhil <mnikhil@gmail.com> writes:
>[color=green]
>> The requirement in short is If the user is part of the appropriate user
>> netgroup, then *only* the login is allowed onto the host otherwise
>> simply it is denied.[/color]
>[color=green]
>> I am little unaware of using the Solaris /etc/pam.conf file (little
>> worried if I break anything else here).
>> Any suggestions/advice on making the pam.conf allow only the particular
>> group members are allowed to login to the host and the rest are denied.[/color]
>
> PAM is certainly the way to accomplish this. We use it that way, but
> not with groups or netgroups. It's something that I call service
> classes, but the result is the same. The account module type in
> pam.conf is the best place to control access. I'm not aware of any
> native PAM modules that will accomplish this. We use locally-written
> PAM modules. That portion of pam.conf looks like this, with the last
> three modules being locally-written:
>
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account requisite pam_class_auth.so.1 allow=uadmin,celano
> other account requisite pam_status_auth.so.1 allow=active
> other account required pam_event_rec.so.1
>[/color]
Thanks. I had a look at
[url]http://opensolaris.org/os/community/security/files/pam_netgroup.c;[/url]

and after making few possible to changes to the c code, I was able to
it atleast for meeting the need, but not really cool.

/etc/users.allow will have the list of the users, (or the user
netgroups) and if the login user is matched from it then the user is
allowed. Its better than nothing, for me at present.

Thanks for the help again,
Nikhil