> I am trying to set up a subnet with different sets of trusted hosts, > i.e., the trusted hosts lists are different for the various groups > allowing us to decide which machines have access to other machines > via these trusted hosts lists. For example: > ... > on-line, or can someone forward me some clues on the setting up of > PAM's files for r* commands for the multiple trusted host maps? Or > even a way to bypass PAM and use the old somewhat-reliable > authentication of UNIX days gone by? > The pam_netgroups module might be of help if I understand you correctly. (See http://www2.physics.umd.edu/~payerle/Software/PAM/) You can set it up to succeed if the remote host (as given by PAM_RHOST variable) belongs to a NIS netgroup listed in some file. The files listing the netgroups will have to be managed on a per machine basis. The biggest problem I would see is that the pam_netgroups module is designed as a session_management module, not an authentication module (as it really doesn't authenticate, just checks authorization). I am not sure where the PAM_RHOST variable gets set normally (if that is done automatically by PAM, or if an authentication module is supposed to do that). If you intend to grant access to anyone from machineA without any authentication (e.g. the "somewhat-reliable authentication of Unix days gone by" of rsh + .rhosts), you could do something like pam_success for authorization followed by pam_netgroups for session_management. _I_ WOULDN'T be comfortable with such, but then I'm not comfortable with .rhosts either. Tom Payerle Dept of Physics payerle@physics.umd.edu University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525
