[OpenAFS-devel] [PATCH] new features for pam_afs
Charles Clancy
mgrtcc@cs.rose-hulman.edu
Fri, 31 Aug 2001 13:15:21 -0500 (EST)
With NIS+, some OSes (Solaris for sure) will let you restrict logins with
passwd_compat.
All our systems are AFS clients with PAM configured with pam_afs.so. On
our servers, we only want certain accounts to be able to log in, so we
have a configuration of the following:
# grep passwd /etc/nsswitch.conf
passwd: compat
passwd_compat: files nisplus
# tail -2 /etc/passwd
+@managers:x:::::
+:x:::::/afs/cs.rose-hulman.edu/common/login.restricted
# /usr/lib/nis/nisaddent -d netgroup | grep managers
managers (,mgrtcc,) (,mgrsls,) (,mgrlcb,) (,mgrkjh,) (,mgrnjf,)
(,mgrrjc,) (,mgrjdm,)
The key are the 2 lines at the end of /etc/passwd. The first ensures that
memebers of the netgroup managers are unaffected. Everyone else has their
shell changed to one that prints out a nasty-gram and disconnects them.
Also, I'm about half way done with what I call pam_wrap -- Basically, you
call pam_wrap for authentication, session management, etc, and then it
consults a configuration file that allows one to specify which other pam
service should handle the authentication on a per-users/group basis.
Ultimate flexibility. If anyone has any suggestions for features this
module should contain, let me know.
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus, RHIT Computer Science