Subject: Hesiod passwd entries and login classes -- don't seem to mix?
To: None <>
From: Geoff Adams <>
List: current-users
Date: 02/08/2000 03:47:02
I have an interesting question about network storage of user configuration
information (passwd entries) using NetBSD-current.

I've used Kerberos for years for authentication.  In addition to its
security features, it's a convenient way to have a single network repository
for user passwords.  Change your password once, and it's changed for all

I've wanted for some time to go to Hesiod for such things as the group and
passwd databases.  This would be a great compliment to Kerberos, and I've
already been using Hesiod for all my amd maps.  Since /etc/nsswitch was
implemented on NetBSD (good work, Luke!), I've been using Hesiod
successfully in lieu of /etc/group.  So far, so good.

Now, I have a number of machines.  Some, I want to allow any of my users to
log into.  Others, such as my Kerberos server, I want to allow only the most
trusted users to log into.  Still others, I want to allow one class of users
to log into, but not another class.  To accomplish this so far, I've just
been using /sbin/nologin as the shell in /etc/passwd on each machine for any
user I don't want to allow to log into that machine.  I still want to see
ownership of files as usernames, not uids, and otherwise be able to refer to
the users, of course, so my /etc/passwd is complete on all my machines.  Of
course, this is a pain to maintain.  And it just doesn't scale.

So, the interesting part:  I really want to replace use of /etc/passwd with
lookups into my Hesiod database.  And this works -- as long as I want to
allow any user to log into any machine!  In my Hesiod database, I need to
specify the user's real shell, so that the users will be able to log into
whatever machines they're allowed to.  But that means that I can't restrict
them by using /sbin/nologin as their shell.

This sounds like a perfect use for the new login.conf mechanism, using user
classes.  Great!  But, from looking in lib/libc/gen/getpwent.c (and from
trying it), there seems to be no way for libc to fetch the three new-style
passwd fields via Hesiod.  getpwent assumes Hesiod entries are in the old
passwd format.

So, how can I use Hesiod for passwd lookups, but restrict which machines
users can log into?  The same problem would exist for NIS users.

And I'd like to avoid periodic scripts which collect information from the
Hesiod database -- perhaps some combination of regular passwd entries and a
separate lookup for each user's class -- to generate /etc/master.passwd.
This is a network database, and I'd like lookups to be done directly across
the network.  Besides, doing an ls -l of a directory which contains files
owned by 5000 different users (think: /export/home) is *much* faster if you
do the uid->username lookups in Hesiod rather than in the flat file that is
/etc/passwd.  Try it!

Am I missing something?  Netgroups, perhaps?  I haven't yet figured out how
they might be relevant.

The only other thing I can think of is to modify /usr/bin/login to do an
extra Hesiod lookup to get the user's class, and then probably just jump
right into login.conf processing.  It'd be cool for other NetBSD sites to be
able to do this, though, so I'd of course have to contribute that back to
NetBSD.  And that means that everyone would have to like it.  :)

Or perhaps just modifying lib/libc/gen/getpwent.c to accept both formats?
But the extended-format passwd entries wouldn't play well with other OSes
that have the classic Hesiod passwd lookup stuff linked into libc.  Hmmm.

Thanks in advance for any thoughts!

- Geoff