Restrict users to certain machines
David Magda
dmagda+usenet at ee.ryerson.ca
Sat Jun 15 12:26:34 EDT 2002
hartmans at mit.edu (Sam Hartman) writes:
[...]
> If you are on an OS without PAM, you will have to add functionality to
> whatever login binary you use.
Or your shell.
In certain places we use zsh [1] startup up scripts/profiles to do
this. Any shell should work however.
You create a directory available to all machines (e.g., NFS R/O
mounted). Then in your /etc/profile (or whatever):
CUT -------
if [ -r /home/common/shell/profiles/hosts/`hostname` ]
then
. /home/common/shell/profiles/hosts/`hostname`
fi
CUT -------
In the file that is sourced you can do the following (at least with
zsh):
CUT -------
USERGROUP=`groups ${LOGNAME} | grep authorized`
if [ "${USERGROUP}" = "" ]
then
# if the user is not in the authorized group,
# the shell enters here
echo "You are not authorized. B'bye."
exit # <- this causes zsh to quit
# user is now disconnected
fi
# user in authorized group would pass test and continue logging in
CUT -------
[1] www.zsh.org
--
David Magda <dmagda at ee.ryerson.ca>
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
More information about the Kerberos
mailing list