Darren J Moffat wrote:
> Given that OpenSolaris has a pam_list module that supports netgroups
> do we even need this ?

It seems that pam_list does actually cover all the usual restrictions we 
currently use in our environment.  The proposed change for Allow/Deny Users 
supports the more flexible phrase @user@@host (I know the syntax is ugly), 
where you could allow/deny groups of users if they access the host from a group 
of remote systems.  I don't have a good example where this construct would be 
crucial, though, so I cannot make too strong of an argument.  In pam_list's 
case you would have to construct a special netgroup consiting of the vector 
product of the netgroup @user and the netgroup @host, if I understand it 

With @user@@hosts you could e.g. configure that admins can only login from 
admin systems.

I still would like to implement the proposed change, even though with pam_list 
will cover most (all of the usual) cases.


P.S.:  pam list is a welcome addition to Solaris's PAM stack,  thank you!

Peter W. Osel -- http://pwo.de/ -- pwo at pwo.de
This message posted from opensolaris.org

Reply via email to