anyways, it was real simple (once someone emails you how to do it,
it always is!).
here's my original question
--------- QUESTION -----------
We run nis in our heterogeneous network here, and all users home
> directories are nfs mounted on all machines using amd.
>
> There is one ultra5 running solaris2.5.1 on which i want
> to restrict access to only a few users. I can change the
> amd master map on that machine, and not mount their home
> directories. However they can still login to the machine,
> because passwords are via nis.
>
> how can i prevent most people from loggin on to that
> machine? isnt there some users.allow or users.deny
> sort of thing? i dont want to change the /etc/shells
> and prevent logins, as then i myself wont be able to
> login to the machine. telnet, rsh, rlogin , all must be
> prevented, since this machine is only a server and no one
> has any need to get on to it.
>
> i thought of one way to do that... since all users use tcsh,
> i could replace tcsh with a shell script which first
> checks the username and then runs the actual tcsh if
> the username is allowed to login. but this is really
> a bad way to do things.
----------- END QUESTION -----------
SOLUTION:
---------
the easiest and the most popular way to do this is
to edit your /etc/nsswitch.conf and change the
passwd and group entries from "files nis" to "compat".
edit your /etc/passwd and at the end add entries for people
you want to be able to access the machine like this
+user1
+user2
and add the following line to disable logins from anyone else.
+::0:0:::/bin/false
edit the /bin/false file to echo whatever message you want.
then run pwconv to regenerate the shadow file and.....
you're done!
it really is so simple.
other alternatives were to create nis netgroups and
allow logins based on group, in the same way.
tcp_wrappers were also suggested for this. I havent looked into that
since i had to get this running immediately, but i'll take a look into
it and if they are better, i'll post a follow up on that.
thanks to all who responded...i'm sorry if i'm unable to reply to
everyone personally and thank them.
here are the friendly folks!
Steven Sakata <sakats@buzzeo.com>
Rich Kulawiec <rsk@gsp.org>
Brian brw@jazz.njit.edu
Frank Cusack <fcusack@voicenet.com>
Billy Constantine <billy@smug.adelaide.edu.au>
pshannon@Schwab.COM (Patrick Shannon)
Jay Lessert <jayl@latticesemi.com>
Benjamin Cline <benji@hnt.com>
David Dhunjishaw <dave@colltech.com>
Jochen Bern <bern@puni-trier.de>
Rodney C. Marable <marable@firefly.net>
Chris Marble <cmarble@hmc.edu>
K.Ravi <RAVKRISH.IN.ORACLE.COM.ofcmail@in.oracle.com>
Mariel Feder <mfeder@central.meralco.com.ph>
anders@hmi.de (Thomas Anders)
Dieter Gobbers <gobbers@faw.uni-ulm.de>
Stefan Voss <s.voss@terradata.de>
martin@mednuc.hsr.it (Martin Achilli)
Gustavo Chaves <gustavo@cpqd.com.br>
David Thorburn-Gundlach <david@bae.uga.edu>
Ronald Loftin <reloftin@mailbox.syr.edu>
thanks,
amol
-----------------------------------------------------
Amol Karnik
Development Engineer amol@memcad.com
Microcosm Technologies, Inc. (617) 225-0094 x248
215 First St., Suite #2D (617) 621-7838 FAX
Cambridge MA, 02142 http://www.memcad.com
-----------------------------------------------------