block user remote login access by user-netgroup/groups basis - Solaris

This is a discussion on block user remote login access by user-netgroup/groups basis - Solaris ; I use rsh/ssh for login access to the host. I figured out that by having user netgroups, and the proper entries in host.equiv files, system can be configured to have limited access based on the user netgroup. The requirement in ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: block user remote login access by user-netgroup/groups basis

  1. block user remote login access by user-netgroup/groups basis

    I use rsh/ssh for login access to the host. I figured out that by having
    user netgroups, and the proper entries in host.equiv files, system can
    be configured to have limited access based on the user netgroup.

    The requirement in short is If the user is part of the appropriate user
    netgroup, then *only* the login is allowed onto the host otherwise
    simply it is denied.

    Earlier on Linux with PAM on Linux, I managed to get this simplified
    with not the netgroups but the Unix groups itself in /etc/pam.d/
    and /etc/security/access.conf.

    I am little unaware of using the Solaris /etc/pam.conf file (little
    worried if I break anything else here).
    Any suggestions/advice on making the pam.conf allow only the particular
    group members are allowed to login to the host and the rest are denied.
    It should work both for rsh and ssh.
    (Even if the suggestion includes to go for the user netgroup, that is
    also please welcome).

    Thanks in advance,
    Nikhil

  2. Re: block user remote login access by user-netgroup/groups basis

    In Nikhil writes:

    >The requirement in short is If the user is part of the appropriate user
    >netgroup, then *only* the login is allowed onto the host otherwise
    >simply it is denied.


    >I am little unaware of using the Solaris /etc/pam.conf file (little
    >worried if I break anything else here).
    >Any suggestions/advice on making the pam.conf allow only the particular
    > group members are allowed to login to the host and the rest are denied.


    PAM is certainly the way to accomplish this. We use it that way, but
    not with groups or netgroups. It's something that I call service
    classes, but the result is the same. The account module type in
    pam.conf is the best place to control access. I'm not aware of any
    native PAM modules that will accomplish this. We use locally-written
    PAM modules. That portion of pam.conf looks like this, with the last
    three modules being locally-written:

    #
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    #
    other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    other account requisite pam_class_auth.so.1 allow=uadmin,celano
    other account requisite pam_status_auth.so.1 allow=active
    other account required pam_event_rec.so.1

    --
    -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

  3. Re: block user remote login access by user-netgroup/groups basis

    Gary Mills wrote:
    > In Nikhil writes:
    >
    >> The requirement in short is If the user is part of the appropriate user
    >> netgroup, then *only* the login is allowed onto the host otherwise
    >> simply it is denied.

    >
    >> I am little unaware of using the Solaris /etc/pam.conf file (little
    >> worried if I break anything else here).
    >> Any suggestions/advice on making the pam.conf allow only the particular
    >> group members are allowed to login to the host and the rest are denied.

    >
    > PAM is certainly the way to accomplish this. We use it that way, but
    > not with groups or netgroups. It's something that I call service
    > classes, but the result is the same. The account module type in
    > pam.conf is the best place to control access. I'm not aware of any
    > native PAM modules that will accomplish this. We use locally-written
    > PAM modules. That portion of pam.conf looks like this, with the last
    > three modules being locally-written:
    >
    > #
    > # Default definition for Account management
    > # Used when service name is not explicitly mentioned for account management
    > #
    > other account requisite pam_roles.so.1
    > other account required pam_unix_account.so.1
    > other account requisite pam_class_auth.so.1 allow=uadmin,celano
    > other account requisite pam_status_auth.so.1 allow=active
    > other account required pam_event_rec.so.1
    >

    Thanks. I had a look at
    http://opensolaris.org/os/community/...am_netgroup.c;

    and after making few possible to changes to the c code, I was able to
    it atleast for meeting the need, but not really cool.

    /etc/users.allow will have the list of the users, (or the user
    netgroups) and if the login user is matched from it then the user is
    allowed. Its better than nothing, for me at present.

    Thanks for the help again,
    Nikhil

+ Reply to Thread