Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: jipping@cs.hope.edu (Mike Jipping)
Newsgroups: comp.sys.sun
Subject: Re: Securing the Server
Keywords: Networks
Message-ID: <8903310255.AA01363@cs.hope.edu>
Date: 22 Apr 89 00:04:22 GMT
Sender: usenet@rice.edu
Organization: Sun-Spots
Lines: 17
Approved: Sun-Spots@rice.edu
Original-Date: Thu, 30 Mar 89 21:55:11 EST
X-Sun-Spots-Digest: Volume 7, Issue 237, message 6 of 12

How about the following scheme.  You suggested an alternate source for the
YP passwd map (e.g., /etc/passwd.clients); use that.  Now in /etc/passwd
on the server, use a different login shell than /bin/csh or /bin/sh -- try
something that does nothing or kicks folks off the machine (after perhaps
recording that they trespassed).  A spiffy trick for these "alternate"
shells appeared in an STB last year -- it automagically routed the user to
a free client on the network.  Now, that example was for users calling in,
but it would work for you as well.

This way, a user is still known on the server, but can't telnet/rlogin to
do anything useful.  And some accounts -- the ones you give a "real" login
shell to -- can still login and use the machine.

      Mike Jipping
      Hope College
      Department of Computer Science
      jipping@cs.hope.edu