[ I've cc'd and set reply-to for [EMAIL PROTECTED] ] On Tue, 2005-10-11 at 07:38, mnikhil m wrote: > Hi All :) > > I just wanted to ask that why the PAM on sol10 is still in the format > of /etc/pam.conf, why it is not upgraded to /etc/pam.d style..Any > Reasons ??
Upgraded is a very strange term. The LinuxPAM project added their own extension to PAM by moving from /etc/pam.conf to /etc/pam.d (while still supporting the former). This is outside of the original X/Open specification for PAM which Sun authored. > I thought pam on sol10 is implemented now in the form of /etc/pam.d > but not.. Nope, nowhere did Sun indicate that we would do so. We still aren't completely convinced of the benefit of /etc/pam.d versus /etc/pam.conf there is as far as I can tell. There are some packaging benefits but no benefits in the policy expression. > I am not well comfortable with /etc/pam.conf but with /etc/pam.d ;) Then type man pam.conf The only real difference is that the first column is the service name instead of the filename being the service name. > Ok..I have a requirement like this.. > I have an NIS domain comprising of 10 boxes , lets say.. > and I have one prod box and I want to allow only people who are belong > to two groups (of NIS) particularly on that box.. > so who ever tries to rlogin/rsh/ssh to that box remotely, should be > denied the login unless they are from the mentioned groups.. That sounds like what you want is a role, see rbac(5). Or you could implement a simple PAM module that checks for group member ship. I have one I'll see if we can start posting the source for these type of things in the security community pages. -- Darren J Moffat _______________________________________________ opensolaris-discuss mailing list [email protected]
