pam and netgroups

[Lassi Pölönen]

Hi,

I've been trying to implement netgroup based centralized authentication 
control with pam. The downside of using pam_access with @users@@hosts 
syntax is that when you have a group of users and group of hosts, it 
seems all the users are allowed to log in to those hosts in defined 
group. Therefor that requires configuration on every host - a host has 
to know which group to honor. pam_acces doesn't seem to check the host 
entry in triple neither.

A little exploration showed pam_succeed_if seems to have "innetgr" 
option so I thought it would have been the solution which it wasn't as 
PAM_RHOST is given as an argument to innetgr() instead of local host 
name so it would have been possible to limit the hosts users can log in 
from but not where users can log in to. So my question is, is there any 
standard pam module with netgroup checking capabilities except 
pam_access? The one that would allow using machine's own hostname in 
innetgr -call instead od PAM_RHOST? With one, one could pretty easily 
centralize login access control - in this case to ldap as the machines 
are already authenticating from there - without the need to have 
different configurations on different machines. Instead you would be 
able to write user and host pairs to ldap without touching the servers.

-lassi