Re: /etc/shells (was Re: procmail

[dugsong () umich edu (Douglas Song)]

On Thu, 8 Aug 1996, Jauder Ho wrote:

>         how about extending the passwd fields one more after the shell so
> that mine would be something like
>
> auderho:x:1298:1:Jauder Ho:/export/home/jauderho:/usr/local/bin/tcsh:tf
>
> so let's say that t stands for telnet allowed, ftp allowed ...
> this allows pretty fine grained control over users.

We do user authorization based on AFS pts group membership. So a
machine service authorization file looks something like:

umich:lusers    deny
system:anyuser  ftp
umich:students  login,ftp,ssh,xdm
umich:admins    *

This is roughly similar in concept to what Wietse Venema did with
his login.access file for the logdaemon package, except that it extends
it to other services and utilizes AFS pts, not Unix, group membership.
I'm sure Wietse's code could be easily extended to accomodate different
services...

---
Douglas Song dugsong@{umich.edu,monkey.org}
University of Michigan ITD GPCC Unix Services
www: http://www-personal.umich.edu/~dugsong
keyid: C2263445 fingerprint: BF F5 20 EA DA 2F C4 F4  7D 68 4A 50 E4 35 D1 17