Subject: Re: Hesiod passwd entries and login classes -- don't seem to mix?
To: Greg Hudson <ghudson@MIT.EDU>
From: Tracy J. Di Marco White <>
List: current-users
Date: 02/08/2000 23:12:23
}> So, how can I use Hesiod for passwd lookups, but restrict which
}> machines users can log into?  The same problem would exist for NIS
}> users.

}In the Athena environment, we have basically the same problem, only
}without native support for login classes on most of our platforms.
}Basically, we want to treat the passwd database as an informational
}database about users and deal with access control separately.  Since
}we have to extend the login system anyway, we support a file
}/etc/athena/access, which just has lines saying "<username> <access
}bits>", where <access bits> contains "r" for remote access and "l" for
}local access, and <username> can be "*" to match anyone and
}"*inpasswd" to match anyone in the local passwd file.

At ISU we've implemented two methods of limiting access to machines.
For our servers, we set a field in /etc/login.conf that causes the
machine to require a special instance to log in.  For example,
login.conf may contain "instance=baz", then only those people with a
kerberos instance of baz can log in, and only with their username.baz
password.  I may eventually see about coding this in.  On our clients
a central access server was implemented, which for each machine has a
root list, an access list, and an exclude list.  The members of the
root list control the other two lists, and can su on the particular
machine.  (The access list can include the list 'everybody', so exclude
lists are handy.)  If I ever hope to include NetBSD as one of our
local clients, I need to add this to login too, but it would be a local

}> Besides, doing an ls -l of a directory which contains files owned by
}> 5000 different users (think: /export/home) is *much* faster if you
}> do the uid->username lookups in Hesiod rather than in the flat file
}> that is /etc/passwd.  Try it!

Our main platforms using Hesiod are Ultrix (going away), Irix, and
OSF/1^WDigital Unix^W^WCompaq Tru64 Unix.  Ultrix had Hesiod from
before I started using it, so it was able to do exactly that.  CT64
isn't quite as nice. :)

}NetBSD doesn't look things up in the flat file which is /etc/passwd.
}It uses /etc/pwd.db or (if it can read it) /etc/spwd.db.  I'm a little
}surprised that Hesiod is faster, but db might turn out to impose more
}overhead than the resolver library and named.

Tracy J. Di Marco White
Project Vincent Systems Manager