Restrict users to certain machines

David Magda dmagda+usenet at
Sat Jun 15 12:26:34 EDT 2002

hartmans at (Sam Hartman) writes:

> If you are on an OS without PAM, you will have to add functionality to
> whatever login binary you use.

Or your shell.

In certain places we use zsh [1] startup up scripts/profiles to do
this. Any shell should work however.

You create a directory available to all machines (e.g., NFS R/O
mounted). Then in your /etc/profile (or whatever):

CUT -------

if [ -r /home/common/shell/profiles/hosts/`hostname` ]
        . /home/common/shell/profiles/hosts/`hostname`

CUT -------

In the file that is sourced you can do the following (at least with

CUT -------

USERGROUP=`groups ${LOGNAME} | grep authorized`
if [ "${USERGROUP}" = "" ]
        # if the user is not in the authorized group,
        # the shell enters here

        echo "You are not authorized. B'bye."
        exit # <- this causes zsh to quit

        # user is now disconnected
# user in authorized group would pass test and continue logging in

CUT -------


David Magda <dmagda at>
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well 
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

More information about the Kerberos mailing list