On 10/31/06, Darren J Moffat <Darren.Moffat at sun.com> wrote:
> Please review the attached proposal and help with the outstanding issues
> before I submit this as an ARC case.
>
> Note that the Virtual Console project could end up depending on this
> case but does not at this time.

This seems to be a special case of another need that I have had with
other accounts that are shared.  Use cases include:

1) "test" user accounts that are designated for using test equipment
should be allowed to log in at the console of a machine but nowhere
else.  A somewhat wider selection of users should be able to log in
via ssh from a certain group of hosts.

2) Within a cluster, a particular application user should be able to
log in via ssh from other cluster members but not from hosts outside
of the cluster.  A certain group of named users should be able to
assume the identity of the application user.

I have solved the above problems with varying degrees of elegance
using pam_access
(http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html)
or by creative abuse of roles with customized sshd instances running
on different ports.  By far, the pam_access mechanism was much
cleaner.

It seems as though the following example addresses the core
requirements of this proposal:

=== Begin Quote ===
User root should be allowed to get access via cron, X11 terminal :0,
tty1, ..., tty5, tty6.

+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6
=== End Quote ===

As much as I have liked pam_access, there are some things that concern
me with the matching rules.  Consider the case above.  Is root allowed
to log in from an IP address that resolves to "tty5"?  The inability
to be specific about user names vs. group names has similar issues.
However, I expect that these could be overcome and a far greater
number of use cases could be tackled.

Mike

-- 
Mike Gerdts
http://mgerdts.blogspot.com/

Reply via email to