SUMMARY : Hosts.equiv and netgroup

From: saintpe stephanie-ism/is 81737- (saintp@boreal-ci.cst.cnes.fr)
Date: Fri Apr 16 1999 - 02:21:27 CDT


Sorry for the delay, here is the summary of responses to my problem.
I could'nt find a real satisfactory solution, but I have some tracks to
investigate.

I would particularly like to thank :

casper@holland.sun.com
reloftin@syr.edu
lewandow@cs.odu.edu
hargrme@wisdom.maf.nasa.gov
squaint@provide.net
lauradel@cs.uoregon.edu
hall@impact.xerox.com
ramk1@EXCITE.COM
cprice@molbio.unmc.edu

********************************************************************************
>From casper@holland.sun.com

"hosts.equiv is not the way to grant individual users access.
 The /etc/hosts.equiv contents is prepended to each ~/.rhosts file.
 So usernames have no place there as they indeed give such users access
 to all accounts.
 The nsswitch.conf "passwd: compat" mode allows you to selectively
 import users from NIS.
 If you want to control access to individual user's hoem directories, you
 have no choice but to chmod them. "
 
********************************************************************************
>From reloftin@syr.edu Thu Apr 8 14:30:33 1999

"Try this configuration in your environment. We use it here to do restricted
 access to servers and other special-purpose machines:
 In /etc/nsswitch.conf, change the passwd entry to read:
 passwd: compat
 Create netgroups as you wish.
 In /etc/passwd, add lines for the netgroups you want to allow on that
 machine. Note the "+@" construct in the examples. The "+@" references the
 netgroup NIS map, while just a "+" references the NIS passwd map.
 To allow a group named "sysadmin":
 +@sysadmin:x:::::
 To allow user "webadmin" with a locally-specified home directory:
 +webadmin:x::::/tmp:
 To let the machine recognize all user IDs in NIS, but not let them log in:
 +:x:::::/usr/local/etc/nologin
 Contents of /usr/local/etc/nologin:
 #!/bin/grep ^[^#]
 You do not have permission to log on to this machine.
 End of /usr/local/etc/nologin
 You can modify locally any field in the passwd file. Blanks will be filled
 in from NIS, where available. You will want to spend some time
 experimenting to find the exact combination to satisfy all of your
 requirements."
 
********************************************************************************
>From lewandow@cs.odu.edu Thu Apr 8 14:42:24 1999

"Here are the steps you need to do to enable this using netgroups. First,
 add a line in netgroups, that looks similar to the following:
 admins (,user1,) (,user2,) (,user3) ... and so on
 you can change the keyword admins to anything, like servers, allow, etc.
 User1, user2, user3, etc would be the login names of the users you want to
 have access to this machine. For the rest of the example, i will use the
 netgroup name admins. Next add the following lines to /etc/passwd, not
 /etc/yp/passwd:
 +@admins::0:0:::
 +::0:0:::/bin/false
 What these two lines will do is only allow the users in the netgroup admins
 to login and the all other users will get /bin/false as their shell,
 essentially not letting them login. Next add this line to the end of
 /etc/shadow, again, not, /etc/yp/shadow.
 +@allow::::::::
 +::::::::
 Lastly, change the passwd line in /etc/nsswitch.conf to read:
 passwd: compat
 Thats it, of course you'll have to do a make in /var/yp to make the
 netgroups, sorry i forgot to mention that. If you ever need to grant or
 remove access to a user, just add or remove them from /etc/yp/netgroups.
 Hope this helps."
 
********************************************************************************
>From hargrme@wisdom.maf.nasa.gov Thu Apr 8 14:55:51 1999

"Stephanie,
 In the /etc/netgroup file put:
 userid (,userid,)
 In the /etc/password file put:
 +@userid::0:0:::
 You can also put multiple userid's.
 /etc/netgroup:
 userids (,userid1,) (,userid2,)
 /etc/password:
 +@userids::0:0:::
 Hope this helps."
 
********************************************************************************
>From squaint@provide.net Thu Apr 8 15:22:04 1999

"You can use
 hostname +@netgroup to allow any use in the netgroup access. Conversly you can
 also use
 hostname -@netgroup to deny certain users access (any use in the netgroup).
 If you use @netgroup in the first field of hosts.equiv then any host in the
 netgroup gets access as in
 +@netgroup
 or can be denied access with
 -@netgroup
 See the man page on hosts.equiv for more information."

********************************************************************************
>From lauradel@cs.uoregon.edu Thu Apr 8 15:54:22 1999

"We use netgroups extensively for machine access here.
 For example, say we have a machine named "mach01" and our domain is
 "my.domain".
 In the yp netgroups file we might have:
 mach01 (-, user1, my.domain) (-, user2, my.domain) (-, user3, my.domain)
 And so on (there is a line length limitation, which you can get around by
 making netgroups comprised of other netgroups).
 In the /etc/passwd file on mach01 you would see this line:
 +@mach01
 In the /etc/shadow file on mach01 you would see a corresponding line:
 +@mach01::8740::::::
 The /etc/nsswitch.conf file would be set:
 netgroup: nis
 No use of hosts.equiv.
 I hope this helps."
 
********************************************************************************
>From hall@impact.xerox.com Thu Apr 8 17:51:22 1999

"Stephanie,
 You need to setup a NIS netgroup that looks a little like this..
 netgroupname \
        (machinename,username,NIS domainname) \
        (machinename,username,NIS domainname) \
        (machinename,username,NIS domainname)
 where netgroupname is the name of your netgroup (this can be anything.
 Machinename
 is the name of your users machine that you want to give access to,
 username is the
 username of the user and NIS domainname is your NIS domainname.
 In the /etc/hosts.equiv file put
 +@netgroupname
 This will allow only users from certain machines in your NIS Domain to
 log into
 that machine without a passwd.
 Hope this helps."
 
********************************************************************************
>From ramk1@EXCITE.COM Thu Apr 8 21:16:56 1999

"hi
 put the hostname and username in the ".rhosts" file of the particular user,
 whose account should be accessable via rlogin.
 cheers & smiles"
 
********************************************************************************
>From cprice@molbio.unmc.edu Fri Apr 9 14:44:11 1999

"Forget rlogin. It is inherently dangerously insecure. Use sshd with it's
 encryption and authentication capabilities. See the DataFellows web site
 for the source for the daemon and for PC's purchase the client software."

********************************************************************************
From: "Neal S. Pressman" <nsp83273@melsud.res.ray.com>
To: sun-managers@sunmanagers.ececs.uc.edu
Subject: SUMMARY: NIS and Netgroups behaviour

thanks to:

Ronald Loftin <reloftin@syr.edu>
"David W. Blaine" <blained@gdls.com>
"Salehi, Michael E" <Mike.Salehi@usa.xerox.com>

also thanks to:

Steve_Kilbane <Steve@gec-epl.co.uk>
who didnt respond to my e-mail but has posted a summary of this problem
to the archives:

<--- snip --->
Turns out that netgroup works only with NIS running, and that using
it in .rhosts files is no problem. I'll also make the tentative
observation that the wisdom that follows applies certainly to netgroup
usage in .rhosts files, but not necessarily in other places (e.g.,
hosts.equiv, exports) because some of the rules I have to follow
(e.g., don't use capital letters) are rules I've seen violated in
other places without problems. That having been said:
</--- snip --->

my problem was simply that our Netgroup was in UCASE this is not a
problem for 2.6 or 2.7 only earlier versions.

                Neal...

********************************************************************************



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:18 CDT