Subject: Re: [netatalk-admins] denying access
From: Sid Van den Heede (sidv@opentext.com)
Date: Wed Jan 21 1998 - 09:37:06 EST
On Wed, 21 Jan 1998, Edan Idzerda wrote:
> On Wed, 21 Jan 1998, Peter Bolmehag wrote:
> > I have netatalk running. When someone gets an account they automatically
> > are able to log in to the machine via netatalk. I want to be able to shut
> > out certain users. How?
>
> Oooh, this might be tricky. You should be able to disable netatalk
> logins by setting their shell to something not specified in
> /etc/shells--or whatever getusershell() on your machine looks
> in.
>
> But that will probably be they can't login via telnet either.
>
> If you want to disallow logins from the Mac side and the unix side,
> easy. If you want to allow unix logins but not allow Mac connections...
> Hmmm. I don't know if you can do that.
>
> It wouldn't be too difficult to add another check in auth.c to
> kick out certain users, but I don't know what the critieria
> would be so I don't have a solution in mind.
Now, if auth.c (or whatever) uses or can use Pluggable Authentication
Modules (pam), then you can relatively easily add this kind of control.
Pam is currently available in Linux and Solaris 2.6, so it should show up
in other UNIX-like OSs Real Soon Now. The authentication module could
check the source of the user (e.g., IP address or name), but maybe not
much else. An alternative would be to use ipfw stuff on Linux, or the TIS
firewall toolkit.
------------------------------------------------------------------
Sid Van den Heede Open Text Corporation
+1 519 888 7111 x2211 185 Columbia Street West
+1 519 888 0677 (fax) Waterloo, Ontario, Canada N2L 5Z5
sidv@opentext.com
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:30:29 EST