Darren J Moffat wrote: > Given that OpenSolaris has a pam_list module that supports netgroups > do we even need this ?
It seems that pam_list does actually cover all the usual restrictions we currently use in our environment. The proposed change for Allow/Deny Users supports the more flexible phrase @user@@host (I know the syntax is ugly), where you could allow/deny groups of users if they access the host from a group of remote systems. I don't have a good example where this construct would be crucial, though, so I cannot make too strong of an argument. In pam_list's case you would have to construct a special netgroup consiting of the vector product of the netgroup @user and the netgroup @host, if I understand it correctly? With @user@@hosts you could e.g. configure that admins can only login from admin systems. I still would like to implement the proposed change, even though with pam_list will cover most (all of the usual) cases. Cheers --pwo P.S.: pam list is a welcome addition to Solaris's PAM stack, thank you! -- Peter W. Osel -- http://pwo.de/ -- pwo at pwo.de This message posted from opensolaris.org