Limit logins on a group of machines?
Bill Jonas
bill at billjonas.com
Wed Jun 17 14:14:22 MST 2009
On Wed, Jun 17, 2009 at 12:09:14PM -0700, Eric Shubert wrote:
> Why (might i ask) would you want to do such a thing? Perhaps there's a
> simpler solution to whatever the problem is you're trying to solve.
In a nutshell, it's a proxy service (yes, this is for work), and users
should not be able to share logins with their friends. The user
accounts themselves are maintained in a chrooted environment. There's a
cron job that checks the DB every 5 minutes, adds new accounts to
/var/chroot/etc/passwd and friends, and creates homedirs as needed.
Password authentication is provided by pam_mysql currently, but the
whole setup is being re-thought.
Right now, we're limiting it to only one login per machine, but there
will be more (mostly virtual, possibly some physical) machines added to
the mix shortly. The MySQL DB is currently replicated to each machine,
and authentication happens locally (that whole "single point of failure"
thing being undesirable). I'm currently trying to figure out the best
way to approach this, be it LDAP, NIS+, Hesiod, NSS-MySQL, or whatever.
--
Bill Jonas * bill at billjonas.com * http://www.billjonas.com/
"It's a dangerous business, Frodo, going out your front door. You step
into the Road, and if you don't keep your feet, there is no knowing
where you might be swept off to." -- Bilbo Baggins
More information about the PLUG-discuss
mailing list