Securing the Server

[Steve Simmons]

anderer at vax1.acs.udel.edu (David G Anderer) writes:
>My one solution was to use some file other than /etc/passwd as the YP
>passwd map (such as /etc/passwd.clients).  That works, except the server
>then has no knowledge of these accounts, and so things like ls -l on the
>server are messy because they display user numbers rather than user names.
>
>If there a way (short of source) to only allow SOME accounts remote access
>to the server?

Several, but you've already got 99% of your solution.  Use an alternate
file for yp password management.  Write a filter that will take the yp
alternate file will change line like

  scs:xaoiuSUDF&879:102:102:Steve Simmons:/u/scs:/bin/ksh
to
  scs:xaoiuSUDF&879:102:102:Steve Simmons:/u/scs:/etc/sorrysh
                                                  ^^^^^^^^^^^
Put this new file into /etc/passwd.  Now when people rlogin to the server,
they get the program /etc/sorrysh as their shell.  Here's the code for
/etc/sorrysh:

main()
{
	(void) printf( "Sorry, you can't log into the server.\n" ) ;
}

And now they can't log in.

You'll probably want to make a list of 'exempt' ids who get their
normal shells.  The script is left as an exercise for the student... :-)
-- 
Steve Simmons, Inland Sea Software, Ltd.         scs at lokkur.dexter.mi.us
   9353 Hidden Lake, Dexter, MI. 48130                   313-426-8981