Darren J Moffat wrote:
> Given that OpenSolaris has a pam_list module that supports netgroups
> do we even need this ?
It seems that pam_list does actually cover all the usual restrictions we
currently use in our environment. The proposed change for Allow/Deny Users
supports the more flexible phrase @user@@host (I know the syntax is ugly),
where you could allow/deny groups of users if they access the host from a group
of remote systems. I don't have a good example where this construct would be
crucial, though, so I cannot make too strong of an argument. In pam_list's
case you would have to construct a special netgroup consiting of the vector
product of the netgroup @user and the netgroup @host, if I understand it
With @user@@hosts you could e.g. configure that admins can only login from
I still would like to implement the proposed change, even though with pam_list
will cover most (all of the usual) cases.
P.S.: pam list is a welcome addition to Solaris's PAM stack, thank you!
Peter W. Osel -- http://pwo.de/ -- pwo at pwo.de
This message posted from opensolaris.org