On 10/31/06, Darren J Moffat <Darren.Moffat at sun.com> wrote: > Please review the attached proposal and help with the outstanding issues > before I submit this as an ARC case. > > Note that the Virtual Console project could end up depending on this > case but does not at this time.
This seems to be a special case of another need that I have had with other accounts that are shared. Use cases include: 1) "test" user accounts that are designated for using test equipment should be allowed to log in at the console of a machine but nowhere else. A somewhat wider selection of users should be able to log in via ssh from a certain group of hosts. 2) Within a cluster, a particular application user should be able to log in via ssh from other cluster members but not from hosts outside of the cluster. A certain group of named users should be able to assume the identity of the application user. I have solved the above problems with varying degrees of elegance using pam_access (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_access.html) or by creative abuse of roles with customized sshd instances running on different ports. By far, the pam_access mechanism was much cleaner. It seems as though the following example addresses the core requirements of this proposal: === Begin Quote === User root should be allowed to get access via cron, X11 terminal :0, tty1, ..., tty5, tty6. + : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 === End Quote === As much as I have liked pam_access, there are some things that concern me with the matching rules. Consider the case above. Is root allowed to log in from an IP address that resolves to "tty5"? The inability to be specific about user names vs. group names has similar issues. However, I expect that these could be overcome and a far greater number of use cases could be tackled. Mike -- Mike Gerdts http://mgerdts.blogspot.com/
