flur@duke.gatech.edu (Peter W. Flur) (11/27/90)
Currently, we have a mixed bag of SS1's and 4/110's running either
4.0.3 or 4.1. There are three YP domains on the subnet, but we would
like to bring that down to just one if possible. However, we would
like to be able to restrict which group of machines any one person has
access to. Rather than use the YP domains to do this, as we are now,
we would like to use netgroups. As an example, let me say that the
group of people p1, p2, p3, and p4 are all in the yp1 domain. there
are three machines, m1, m2, and m3. p1 and p2 should only be allowed
to access m1 and m2, which p3 should only be allowed on m3 and p4
should have access to all three machines.
The host.equiv files all limit access to a list of machines in our
subdomain only.
I have read the documentation in the Sun manuals, and tried every
combination of +@, -@, etc. in the password files and the host.equiv
files, but have had no success to date.
Can anyone offer any good advice as to how this can/should be
accomplished?
Thanks,
Peter
-----------------------------------------------------------------------
Peter Flur, Research Engineer
Georgia Institute of Technology
School of Electrical Engineering, Atlanta, GA 30332-0250
E-MAIL: flur@eecom.gatech.edu
PHONE: (404) 853-9355deb@tc.fluke.COM (Deb Lilly) (12/15/90)
In article <17600@hydra.gatech.EDU>, flur@duke.gatech.edu (Peter W. Flur) writes: > ... we would > like to be able to restrict which group of machines any one person has > access to. Rather than use the YP domains to do this, as we are now, > we would like to use netgroups. At Fluke we use netgroups to limit logins on certain machines. Our YP domain is 'tc'. Example 1 (netgroup in /etc/passwd to exclude logins from a machine): Our netgroup 'uucpLogins' contains uucp accounts: uucpLogins (,uuaea,tc) (,uualle,tc) ... In all our /etc/passwd files except on the uucphost, we exclude the uucp accounts with: -@uucpLogins::0:0::: Example 2 (netgroup in /etc/passwd to allow logins on a machine): Our netgroup 'CDXusers' contains accounts for people allowed access to a set of machines running a specialized application: CDXusers (,john,tc) (,amyh,tc) (,bryanf,tc) (,darren,tc) ... In the /etc/passwd files on the restricted machines, we do not use the full Yellow Pages passwd (no +::0:0::: entry), but do allow access to the CDXusers with: +@CDXusers::0:0::: Example 3 (netgroup in /etc/hosts.equiv): Our netgroup 'trustedhosts' includes all computers which use the same logins, uids, groups, and gids as the rest of the network: trustedhosts (daphne,,tc) (eros,,tc) (hera,,tc) ... The /etc/hosts.equiv file on all systems contains: +@trustedhosts There was a bug in SunOS 4.0.1 (bug ID 1022453) that required netgroup names to be all lower case to work properly in /etc/hosts.equiv. I don't know whether it's been fixed in 4.0.3 or 4.1. Deb Lilly Domain: deb@tc.fluke.COM UUCP: uunet!fluke!deb John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090 USA +1 206 356-5052 -- Deb Lilly Domain: deb@tc.fluke.COM UUCP: uunet!fluke!deb John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090 USA +1 206 356-5052