-   Linux - Server (
-   -   how to restrict a user in NIS from logging on to a particular server (

dbmacartney 01-20-2009 05:42 AM

how to restrict a user in NIS from logging on to a particular server
Morning everyone

I was wondering if someone has set something similar up in the past.

In my environment we have about 30 RHEL 4 servers. There are about 60 staff which SSH into each server depending on their role.

Each staff member would need to log onto roughly 20 servers to do their job.

I have just started here, and currently user management is set up as local users on each box.

I am going to pull my hair out if I get asked to manually create 30 accounts each time one new staff member starts work.

My knowledge of LDAP is sketchy to say the least but I do know how to use NIS and I have implemented it in the past and it solved the problems of wasting sys admin's time for account creation.

Here is the scenario. We have 30 servers. I have a new starter and this new starter, based on their role only needs access to 15 of the 30 servers.

I want to create his user account once, is there a way to set up NIS for central authentication across the 30 servers, but then add additional parameters somewhere to specify a denied list of hosts.


step 1. create account on NIS server
step 2. if the user shouldn't be logging into a certain server or list of servers, specify the list of hostnames on the NIS server of the boxes which should be blocked.

I was thinking, perhaps by disabling the user account in /etc/passwd would do this, but I don't want to do this on half of the servers for each person I set up. My understanding of NIS is that even if I made a change like this on a server, the next time NIS updates the server, it would undo the change I just made.

Would anyone be able to assist?

alternatively, if LDAP has this capability and you know of a decent article I would love to read up on it.

Many thanks

acid_kewpie 01-20-2009 05:50 AM

well this issue isn't anything to do with nis or ldap really. just configure an access.conf file to require, for example, each non-root user logging in to be a member of a certain group. That group could be per server, per group / function or for the entire implementation. if the boxes are set up to authenticate generally via ldap / nis whatever then you can also use access.conf to pull groups as well. So this logic doesn't live within the server side ever. but implict rights to a given resource is still centrally controlled once the base configuration is in place. Personally I would recommend ldap for this backend, esp if they already have one as you seem to suggest.

dbmacartney 01-21-2009 07:14 AM

Thanks Chris that is exactly what I am after.

Is there a way to set up restrictions from a central point? or would this be best to be kept locally and perhaps updated by a rsync cron job to copy a master file to the necessary servers.



acid_kewpie 01-21-2009 07:29 AM

no crons needed. on the client you say "group XYZ can log into this box" in /etc/security/access.conf, and that group exists within ldap / nis whatever central system you use. So by adding and removing users on the central server, you'll define automatically who can log into the connected clients. As long as you have confidence in however you set up the groups you need never change anythign on the clients again.

dbmacartney 01-21-2009 10:34 AM

Thats perfect. Thanks for your assistance.

Jalindar 07-28-2010 05:49 AM

To restrict NIS user
How to restrict the NIS user to login to Server?
Ex. Suppose I have 24 users n I want denied access to 4 users. How do it?

acid_kewpie 07-28-2010 08:31 AM

Erm, did you bother reading a single word in this thread before posting in it?

All times are GMT -5. The time now is 11:32 PM.