A few hours ago I asked:
> Hello Managers:
>
> I have an NIS server with clients A and B. I want to disable
> logins to the server, including ftp except for a few accounts.
> Furthermore, I want to disable logins to client A except for a
> few accounts, but I want to allow all users to ftp to client A.
> Finally client B should be open to all users.
>
> creating /etc/nologin disables logins for everyone,
> putting /bin/false as the login shells prevents users to
> login to client B.
>
> How do I resolve this? I am running NFS/NIS without Enhanced security.
>
> Thanks in advance for your help,
>
> Kevin Behrooz
Thanks for the following kind people who took to the time to respond.
I implemented a combination of what Hellebo Knut and Ray Bellis
suggested and got what I was after. Again thanks to:
Philippe Gouffon pgouffon_at_fdei01.FNAL.GOV
on Eidson <eidson_at_unix4.is.tcu.edu>
Hellebo Knut <Knut.Hellebo_at_nho.hydro.com>
Ray Bellis <Ray.Bellis_at_community.co.uk>
Tom Webster <webster_at_europa.mdc.com>
"Randy M. Hayman" <haymanr_at_icefog.sois.alaska.edu>
"Craig I. Hagan" <hagan_at_cih.com>
Brian Sherwood <sherwood_at_esu.edu
rioux_at_ip6480nl.ce.utexas.edu (Tom Rioux)
Tom Rioux
and those whose responses are on the way.
Complete replies:
From: "Richard L. Eisenman" <eisenman_at_tricity.wsu.edu>
If you replace the +: entry in the password file on the NIS clients with
+username entries for those allowed to login, that will create the limited
login list you need on those machines. The limited login/full ftp access
is a stickier matter. Don't know how you can do this without substituting
a generic, anonymous type ftp login for everyone not on the login list.
Hope this helps. Good luck.
On
Wed, 4 Dec 1996, Kevin Behrooz wrote:
> Hello Managers:
>
> I have an NIS server with clients A and B. I want to disable
> logins to the server, including ftp except for a few accounts.
> Furthermore, I want to disable logins to client A except for a
> few accounts, but I want to allow all users to ftp to client A.
> Finally client B should be open to all users.
>
> creating /etc/nologin disables logins for everyone,
> putting /bin/false as the login shells prevents users to
> login to client B.
>
> How do I resolve this? I am running NFS/NIS without Enhanced security.
>
> Thanks in advance for your help,
>
>
> Kevin Behrooz
>
From: pgouffon_at_fdei01.FNAL.GOV
Hi,
There is one trick that works well. You use for example a shell called
/bin/bsh in the passwd NIS files. Then on A, you create a soft link from
/bin/bsh to /bin/false or whatever. On B, you soft link /bin/bsh to any REAL
shell like /bin/tcsh. If the user logs on A, the shell is not valid and the
login fails. On B, the desired shell is changed.
Philippe Gouffon
Instituto de Fisica, Un. de Sao Paulo
pgouffon_at_charme.if.usp.br
From: Jon Eidson <eidson_at_unix4.is.tcu.edu>
Hi Kevin ...
I "solved" the problem by using the global /etc/csh.login and
/etc/profile and added code to screen out which users had access
to which machines. The scripts also do different setups depending
upon the users group, etc. You are welcome to a copy of them if
you like.
If you find other methods, I would be interested.
Thanks, Jon.
From: Hellebo Knut <Knut.Hellebo_at_nho.hydro.com>
The fastest way:
1. Install wu-ftpd on the server.
2. Create appropriate netgroups (see 'man netgroup') and distribute them
via NIS.
3. Restrict login via /etc/passwd and +_at_netgroup or -_at_netgroup entries in
/etc/passwd.
I also believe there's a freeware package somewhere that does user
restricting a bit more elaborate than the usual netgroup scheme.
Unfortunately I don't remember the name. I saw an article in SysAdmin a
while ago.
From: Ray Bellis <Ray.Bellis_at_community.co.uk>
This can probably be done using the + notation in /etc/passwd:
On the server:
+server_user_a: (allow user A)
+server_user_b: (allow user B)
+server_user_c::::::/etc/ftponly (allow user C to only use FTP)
+:*:::::/bin/false (disable everyone else)
etc.
On client A
+client_user_a: (allow user A)
+client_user_b: (allow user B)
+::::::/etc/ftponly (everyone else has different shell)
On client B:
+: (everyone has access).
The /etc/ftponly script would have to be listed in /etc/shells, and
would normally just print a message saying that they don't have access.
The last line for the server is only neccesary if your mail boxes are
stored on that machine, otherwise the mail server won't know which
of your users actually exist.
Ray.
From: Tom Webster <webster_at_europa.mdc.com>
Kevin,
Let me preface this by saying that I haven't actually tried to
implement this under DU, I'm still waiting for some answers from
DEC in regards to the Enhanced security configuration with NIS.
You should be able to do this with netgroups. Build a netgroup for
people who should be able to login to system A (ausers for example).
On system A, your /etc/passwd file would look like:
----- snip ----- snip ----- snip ----- snip ----- snip -----
root:9Pf.mMEPUz08t:0:1:System PRIVILEGED Account,,,:/:/bin/csh
field:OnGgTH5moq4Yw:0:1:Field Svc Account,,,:/usr/field:/bin/csh
operator:Ni6WK/uqs0vaE:25:28:Operator Account,,,:/etc/operator:
guest:Nologin:100:31:Guest account:/usr/spool/uucppublic:/bin/date
+_at_ausers:
+::0:0:::/bin/false
----- snip ----- snip ----- snip ----- snip ----- snip -----
This should do two things:
1. Include all users in the ausers netgroup with the the passwd information
from the NIS map.
2. Include all other users, not previously added by a netgroup, with thier
shell changed to /bin/false (make sure /bin/false is a valid shell in
/etc/shells on A).
Some older NIS systems wanted you to use "+:*:0:0:::" to include users,
on current implementations (including DEC's) this should result in locking
(by replacing passwords with "*") all of the included accounts.
Hope this helps,
Tom
--
From: "Randy M. Hayman" <haymanr_at_icefog.sois.alaska.edu>
Kevin -
To do this same sort of thing here, we did the following:
a) modified /etc/shells to disallow any C shell use (Bourne and Korn allowed)
you could allow C shell, but then you'd have to modify /etc/csh.login also
b) set everybody up to use the Korn shell
c) modified /etc/profile to:
trap ^C, ^Y, etc... and exit if they're received
generate a group listing for that user
if the group list contains the group disuser
tell user they are disallowed access and exit them
check for the existence of /etc/ua_nologin
if it exists
if the group list contains the system group or the allowed group
let them continue to log in
else
display contents of /etc/ua_nologin and exit
else allow them to continue to log in
You could do the same sort of thing with your situation. The users you want
to allow only FTP access can be set up in group "disuser", and they're
$HOME/.profile could have mode 600, owner root:daemon, and a line
"kill -KILL 0", which disables them from logging in, but allows FTP access
(FTP doesn't go through shell login processing).
From: "Craig I. Hagan" <hagan_at_cih.com>
make
your NIS maps allowing logins (normal shells), so that B works.
now, on host A, don't have a + in /etc/passwd. instead
+ in individual users, e.g.:
+hagan::::::
play with the format, different OSes like slighly differnt
things. you can use this to change shells, etc.
lastly: beware and make sure that the OS doesn't accept that user with a
null password for login.
-- craig
From: Brian Sherwood <sherwood_at_esu.edu>
Could you please post a summery when you can. I have the same problem.
Brian
rioux_at_ip6480nl.ce.utexas.edu (Tom Rioux)
we force everyone to use ksh and then put code in /etc/profile
Received on Wed Dec 04 1996 - 21:55:24 NZDT