Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: scs@lokkur.UUCP (Steve Simmons)
Newsgroups: comp.sys.sun
Subject: Re: Securing the Server
Keywords: Networks
Message-ID: <1178@lokkur.UUCP>
Date: 21 Apr 89 22:43:42 GMT
References: <3086@udccvax1.acs.udel.EDU>
Sender: usenet@rice.edu
Organization: Inland Sea Software, Ltd.
Lines: 33
Approved: Sun-Spots@rice.edu
Original-Date: 30 Mar 89 02:39:10 GMT
X-Sun-Spots-Digest: Volume 7, Issue 237, message 2 of 12

anderer@vax1.acs.udel.edu (David G Anderer) writes:
>My one solution was to use some file other than /etc/passwd as the YP
>passwd map (such as /etc/passwd.clients).  That works, except the server
>then has no knowledge of these accounts, and so things like ls -l on the
>server are messy because they display user numbers rather than user names.
>
>If there a way (short of source) to only allow SOME accounts remote access
>to the server?

Several, but you've already got 99% of your solution.  Use an alternate
file for yp password management.  Write a filter that will take the yp
alternate file will change line like

  scs:xaoiuSUDF&879:102:102:Steve Simmons:/u/scs:/bin/ksh
to
  scs:xaoiuSUDF&879:102:102:Steve Simmons:/u/scs:/etc/sorrysh
                                                  ^^^^^^^^^^^
Put this new file into /etc/passwd.  Now when people rlogin to the server,
they get the program /etc/sorrysh as their shell.  Here's the code for
/etc/sorrysh:

main()
{
	(void) printf( "Sorry, you can't log into the server.\n" ) ;
}

And now they can't log in.

You'll probably want to make a list of 'exempt' ids who get their
normal shells.  The script is left as an exercise for the student... :-)
-- 
Steve Simmons, Inland Sea Software, Ltd.         scs@lokkur.dexter.mi.us
   9353 Hidden Lake, Dexter, MI. 48130                   313-426-8981