I asked advice on how to restrict host access to people with a NIS account
Thanks to all who replied (see end of summary)
There are a number of ways of achieving this
I'll be advocating the use of option 2 or 3 at our site.
1) "man nis_manual_setup" has a concise overview
2) instead of the universal +: in the local passwd file use the following on
sensitive hosts
+legit1
+legit2
or
-joeblow:*:5555::etc
3) use netgroups in the local password file
+_at_goodguys
or
-_at_badguys
4) use local password file entries for bad guys with a shell of /dev/null
5) another variation on the netgroup in the local password file
+_at_staff::0:0:::
+::0:0:::/usr/local/etc/restricted-machine
where restricted-machine is prints out an informational message and
then exits.
6) use multiple NIS domains and restrict the distribution of the
regular user
map to the hosts they are allowed to use. "Managing NFS & NIS" by
Hal Stern
discusses this pp. 55-68
7) don't run NIS passwd on the sensitive hosts, use local /etc/passwd
for required users
8) chgrp the login shells to the group that can have access
to a particular server, eg. on "staff only" servers all the login
shells
would be in the 'staff' group and "chmod o-rwx".
9) check for non-existance of a home directory by placing in
/etc/csh.login on each machine the following lines
stty dec crt new susp ^-
if ($USER != "root" )then
if (`pwd` == "/")then
onintr getoff
clear
cat /xxx/login/nologin.txt
sleep 5
getoff:
logout
endif
endif
10) another variation of the above, in the /etc/profile file include
LOGNAME=${LOGNAME:-$USER}
if [ `/usr/bin/id -u` -ne 0 ]; then # root user ALWAYS
allowed
grep -w $LOGNAME /etc/auto.home > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "You are not authorized to use this system"
exit
fi
fi
11) a composite variation. eg for a machine which is a server, but for
which you want to
allow authenticated ftp access:
+_at_admin_netgroup:
+joe:
+john
+::::::/bin/false
12) here are some instructions on creating netgroups
Netgroups are distributed by NIS and supported by the password/login system.
Create a netgroup name and associate a list of users with it:
group1 (,user1,) (,user2,) (,user3,)
group2 (,user4,) (,user5,) (,user5,)
Put this in /var/yp/src/netgroup and make netgroups, distributing
the file to all hosts.
==========================================
Original Message
> Our site makes extensive use of NIS to manage passwd, group and hosts
files
> on our ~20 workstations/servers.
> This has proven simple and efficient.
>
> I would like to be able to restrict which hosts someone with a NIS account
> can access.
>
> ie I want to restrict Joe Blow who has legitimate access to
> tiny-gis-workstation, from being able to access big-sap-production-box.
At
> the moment they can simply login to any host on the network, regardless of
> whether they have a home directory on that host or not, and stroll around.
=============================================
Thanks to
Sean O'Connell [sean_at_stat.Duke.EDU]
Serguei Patchkovskii [patchkov_at_ucalgary.ca]
David Warren [warren_at_atmos.washington.edu]
Bryan Dunlap [bcd_at_pacific.mps.ohio-state.edu]
Reginald Beardsley [esci_at_fastlane.net]
Stephen Nash [Stephen_Nash_at_ssga.com]
Gyula Szokoly [szgyula_at_tarkus.pha.jhu.edu]
Spider Boardman [spider_at_Orb.Nashua.NH.US]
George A. Dowdingg [dowdingg_at_saturn.math.uaa.alaska.edu]
Andrew Leahy [A.Leahy_at_cit.nepean.uws.edu.au]
Lucio Chiappetti [lucio_at_ifctr.mi.cnr.it]
Bob Vickers [bobv_at_dcs.rhbnc.ac.uk]
Sheila Hollenbaugh [shollen_at_cs.wright.edu]
C.Ruhnke [i769646_at_smrs013a.mdc.com]
Partin.Kevin [KPartin_at_hou.mdc.com]
Ralph Rodriguez [rrodrigu_at_ssc.wisc.edu]
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This email message has been swept for the presence of computer viruses.
CitiPower Pty ACN 064 651 056
**********************************************************************
Received on Thu Feb 25 1999 - 06:58:43 NZDT