[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Multiple trusted hosts setups

>  I am trying to set up a subnet with different sets of trusted hosts,
>  i.e., the trusted hosts lists are different for the various groups
>  allowing us to decide which machines have access to other machines
>  via these trusted hosts lists. For example:
>  ...
>  on-line, or can someone forward me some clues on the setting up of
>  PAM's files for r* commands for the multiple trusted host maps? Or
>  even a way to bypass PAM and use the old somewhat-reliable
>  authentication of UNIX days gone by?

The pam_netgroups module might be of help if I understand you correctly.
(See http://www2.physics.umd.edu/~payerle/Software/PAM/)

You can set it up to succeed if the remote host (as given by PAM_RHOST
variable) belongs to a NIS netgroup listed in some file.  The files listing
the netgroups will have to be managed on a per machine basis.

The biggest problem I would see is that the pam_netgroups module is designed
as a session_management module, not an authentication module (as it really 
doesn't authenticate, just checks authorization).  I am not sure where the
PAM_RHOST variable gets set normally (if that is done automatically by PAM,
or if an authentication module is supposed to do that).  If you intend to
grant access to anyone from machineA without any authentication (e.g. the
"somewhat-reliable authentication of Unix days gone by" of rsh + .rhosts),
you could do something like pam_success for authorization followed by
pam_netgroups for session_management.  _I_ WOULDN'T be comfortable with
such, but then I'm not comfortable with .rhosts either.

Tom Payerle 	
Dept of Physics				payerle@physics.umd.edu
University of Maryland			(301) 405-6973
College Park, MD 20742-4111		Fax: (301) 314-9525

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []