current-users: Re: Hesiod passwd entries and login classes -- don't seem to mix?

Subject: Re: Hesiod passwd entries and login classes -- don't seem to mix?
To: Geoff Adams <gadams@avernus.com>
From: Roger Brooks <R.S.Brooks@liverpool.ac.uk>
List: current-users
Date: 02/08/2000 11:09:27
On Tue, 8 Feb 2000, Geoff Adams wrote:

>I have an interesting question about network storage of user configuration
>information (passwd entries) using NetBSD-current.
>

>Now, I have a number of machines.  Some, I want to allow any of my users to
>log into.  Others, such as my Kerberos server, I want to allow only the most
>trusted users to log into.  Still others, I want to allow one class of users
>to log into, but not another class.  To accomplish this so far, I've just
>been using /sbin/nologin as the shell in /etc/passwd on each machine for any
>user I don't want to allow to log into that machine.  I still want to see
>ownership of files as usernames, not uids, and otherwise be able to refer to
>the users, of course, so my /etc/passwd is complete on all my machines.  Of
>course, this is a pain to maintain.  And it just doesn't scale.
>

>So, how can I use Hesiod for passwd lookups, but restrict which machines
>users can log into?  The same problem would exist for NIS users.

We have been using something which works with NIS (and NIS+) for some
years, which depends on the "+::0:0:::" syntax in /etc/passwd.

We have a record

+::0:0:::/usr/local/bin/bosh

at the end of /etc/passwd.  bosh is the Bugger-Off Shell.  It applies
whatever rules you like to decide whether the user is allowed in, and if
so looks up the passwd entry directly in NIS (or NIS+) and execs the real
shell over itself.

We apply the following rules based on the user's gids:

    Users in group 0 are always allowed in.

    Users in any of the groups listed in /usr/local/etc/bosh.groups are
    allowed in.

    If the shell is activated as "bosh -c command args..." (an rsh-type
    access)rather than "-bosh", check /usr/local/etc/bosh.commands to see
    if "command args..." matches any of the records therein.  This allows
    users to rsh selected commands (e.g. imapd) onto machines which they
    otherwise can't log in to.

Of course this depends on being able to concatenate the NIS (or NIS+) map
with /etc/passwd, but override the shell field.  I don't know anything about
Hesiod, so I've no idea if this is possible although I suppose if there
were no other way you could put bosh in the Hesiod passwd record and store
the user's real shell in another map/table somewhere (and if you want your
access controls to be based on something other than gids, this map could
also contain the access control data).


Roger

------------------------------------------------------------------------------
Roger Brooks (Systems Programmer),          |  Email: R.S.Brooks@liv.ac.uk
Computing Services Dept,                    |  Tel:   +44 151 794 4441
The University of Liverpool,                |  Fax:   +44 151 794 4442
PO Box 147, Liverpool L69 3BX, UK           | 
------------------------------------------------------------------------------