From owner-freebsd-hackers Wed Jun 23 21: 5:13 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from lamb.sas.com (lamb.sas.com [192.35.83.8]) by hub.freebsd.org (Postfix) with ESMTP id 2F22715014 for ; Wed, 23 Jun 1999 21:05:01 -0700 (PDT) (envelope-from jwd@unx.sas.com) Received: from mozart (mozart.unx.sas.com [192.58.184.8]) by lamb.sas.com (8.9.3/8.9.1) with SMTP id AAA22806 for ; Thu, 24 Jun 1999 00:05:01 -0400 (EDT) Received: from bb01f39.unx.sas.com by mozart (5.65c/SAS/Domains/5-6-90) id AA24049; Thu, 24 Jun 1999 00:04:30 -0400 Received: (from jwd@localhost) by bb01f39.unx.sas.com (8.9.1/8.9.1) id AAA34801 for freebsd-hackers@freebsd.org; Thu, 24 Jun 1999 00:04:30 -0400 (EDT) (envelope-from jwd) From: "John W. DeBoskey" Message-Id: <199906240404.AAA34801@bb01f39.unx.sas.com> Subject: Login validation by home directory location (PAM?) To: freebsd-hackers@freebsd.org Date: Thu, 24 Jun 1999 00:04:30 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I have an administration problem that I'm trying to solve and I'm looking for comments and ideas. I have about 6000 users in the passwd file. We have a number of compute servers available to these users which (the boss) wants to have allocated according to where the users home directory is located. All the home directories are mounted via amd on a /nfs/machine.name.domain/ mount point. user1:::::/nfs/m1/usr/home/user1 user2:::::/nfs/m1/usr/home/user2 user3:::::/nfs/m1/usr/home/user3 For example, I want to allow user2 access to host server2, but not hosts server1 or server3. I don't want to have alot of passwd file maintenance, so I thought about modifing login to validate on the users home directory. So, in auth_traditional(), I check to see where the home directory is, and if it is valid for the current machine I authorize the login, otherwise I output an access denied msg and return failure. There must be a better way of doing this, but I don't see how. I've looked at PAM, but I don't understand how I could make this type of facility work except maybe in the pam_authenticate() routine. However, this seems complicated compared to simply modifying auth_traditional(). I'd appreciate any comments from folks who have done anything similar or used PAM to solve a related type of management issue. Thanks! John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message