BSD/OS has a really *excellent* feature called "BSD Authentication".
In login.conf (another excellent feature), you can specify an authentication
style, or a *set* of styles, for a given login class.  For instance, you
could create a class
	skey-users:\
		:auth=skey:tc=default:

and when a user in skey-users logs in, his authentication is handled by
/usr/libexec/login_skey.

What makes this excellent is that the login_* programs have a nice,
well-documented, interface.  So, you can create a new login_daytime
which does
	#!/bin/sh
	case `date +%H` in
	9|10|11|12|13|14|15|16)	exec /usr/libexec/login_passwd;;
	*)	echo >&3 "reject";;
	esac
	exit 1

which allows users to log in only from 9:00 to 16:59.

I was thinking about how cool it would be if NetBSD could have a feature like
this.  I wrote the author, because I vaguely remembered hearing that some
day this would be distributed code.  Well, it's under a BSD license.  It could
be put in NetBSD as long as credit is given.

Unfortunately, not quite everything is under that license; while the libc
stuff for this is all under the BSD license, the programs like 'login'
and 'su' (and 'radiusd', for instance) aren't, so someone would probably need
to write them.

Oh, what's cool about 'login.conf'?  It lets you set system limits per
login class, so you might put 'root' in class 'daemon', and have
	daemon:\
		:datasize-max=64M:\
		:datasize-cur=32M:\
		:tc=default:

and anything that logs in as root gets to have a larger default datasize than
normal users would.

Would anyone be interested in seeing this feature set in NetBSD?  Would anyone
like to volunteer to actually do some of the integration?  If no one else
wants to, I'd be interested, but I warn you all, I'm not a security maven, and
I'm not sure I'd want to use an O/S for which I'd written login.c.  :)

-s