Very Computer

by **yong** » Sat, 14 Nov 1998 04:00:00

I am seeking ways to implement time-based access control over NIS+ .

As I am developing program on booking system to be used in the
laboratories, I need to have some form of access control on the system
so that the students would seriously use the booking system to book the
laboratory resources. Unlike Windows NT, SUN Solaris' NIS+ does not
have the functionality of time-based access control.

The system administrators unlikely to allow me to mettle with NIS+ for
this case too. Without touching NIS+ API, could I possibly build such
program?

Of course, it should be transparent to the users. I don't attempt to
create gadget at their initializing files as it could be subjected to
tampering, although it's simple.

Thank you for reading my query.

rgds
yewho

by **Richard L. Hamilt** » Sun, 15 Nov 1998 04:00:00

On 2.6 or later, there's PAM (Pluggable Authentication Modules),
a framework for adding or replacing authentication services. It
shouldn't be too difficult to create a PAM module that consults a file
(or a new NIS+ table, if you like) that lists all those users who
are restricted to logging in only between certain hours. Problem is,
that in itself won't log them off when they exceed their time window,
although you could probably create a daemon to do that too.

If their shell is rksh (restricted ksh), and they're sitting on ttys
(not using XDM or dtlogin, anyway), you could set TMOUT to kick 'em
out after a certain amount of inactive time.

Quote:> I am seeking ways to implement time-based access control over NIS+ .

> As I am developing program on booking system to be used in the
> laboratories, I need to have some form of access control on the system
> so that the students would seriously use the booking system to book the
> laboratory resources. Unlike Windows NT, SUN Solaris' NIS+ does not
> have the functionality of time-based access control.

> The system administrators unlikely to allow me to mettle with NIS+ for
> this case too. Without touching NIS+ API, could I possibly build such
> program?

> Of course, it should be transparent to the users. I don't attempt to
> create gadget at their initializing files as it could be subjected to
> tampering, although it's simple.

> Thank you for reading my query.

> rgds
> yewho

--
ftp> get |fortune
377 I/O error: smart remark generator failed

Bogonics: the primary language inside the Beltway

by **expres** » Tue, 17 Nov 1998 04:00:00

Thank you, Martin.
I will look into that area for my works.

rgds
yewho

> Hi Have a look at SSMI from SUN (or BOKS from Security Dynamics -
> essesntially the same thing). This does all what you want plus more...

> Martin Hepworth

> > On 2.6 or later, there's PAM (Pluggable Authentication Modules),
> > a framework for adding or replacing authentication services. It
> > shouldn't be too difficult to create a PAM module that consults a file
> > (or a new NIS+ table, if you like) that lists all those users who
> > are restricted to logging in only between certain hours. Problem is,
> > that in itself won't log them off when they exceed their time window,
> > although you could probably create a daemon to do that too.

> > If their shell is rksh (restricted ksh), and they're sitting on ttys
> > (not using XDM or dtlogin, anyway), you could set TMOUT to kick 'em
> > out after a certain amount of inactive time.

Very Computer

Time-based Access Control

Time-based Access Control

Time-based Access Control

Time-based Access Control