On Thu, 07 Sep 2000, you wrote:
> Submitted 07-Sep-00 by Ron Johnson, Jr.:
> > Would it be easier, if not foolproof, to enforce single-login
> > on dumb serial terminals?
>
I would say the best way to restrict logins for users is with the PAM
authentication scheme. Mandrake is (or can be) installed with PAM by
default, and login is a PAM aware application. I don't recall the exact
syntax for the cofiguration files but PAM is designed to handle just this
sort of problem. You can also configure all sorts of other quotas with
PAM such as number of processes a user can spawn, whether or not core
files can be created by that user, and all sorts of other things.
As far as the central domain controller NT style argument, I would suggest
looking at NIS or NIS+, which is just that, a centralized domain
controller. The controls are relatively fine grained for access to the
NIS domain, the major problem with NIS is security. There is none. If
someone can gain access to the NIS network, it is then trivial to 1)
discover the NIS domain name and add themselves to it allowing attacks to
be mounted or 2) attack the network to insert themselves as the new domain
host and reroute all authentication requests to their box. Even though
NIS does support the use of the shadow password file, the biggest problem
is the fact that an attacker can bind to the NIS domain and then request
the password map which NIS will gladly hand over. There are other types
of access control as well, AFS has access control built into the system as
well as file system sharing. NIS and NFS in combination one of the
standard bite the bullet *nix administration solutions. So long as one
knows what the risks are and accounts for those in the rest of their
security policies, it can be a manageable and working solution.
--
Matthew Micene
Systems Development Manager
Express Search Inc.
www.ExpressSearch.com
____________________________
A host is a host from coast to coast,
and no one will talk to a host too close
Unless the host that isn't close is busy, hung or dead
