>At my organization, our inept NIS/network adminstrators have blocked
>everyone's workstations in our area from accessing the internet
>through our gateway, except those who have justified getting access,
>authorized by management.
>Unfortunately, the access blocking mechanism they used is pathetically
>easy to get around:
>All our networked (AIX 3.25) systems are on an NIS LAN, with each
>user's account automounted. They've blocked ftp and telnet by
>authenticating at the originating socket level, meaning that a request
>is authorized if it originates from the authorized system's IP
>address. All any unauthorized user needs to do is rlogin to my
>system, and initiate the ftp request, and make transfers to globally
[snip some more]
Since you are using NIS, why don't you make a netgroup of users who are
allowed to log onto the machine, and install that netgroup in the passwd
file on the authorized machine. So in place of the usual NIS map token
instead of +::0:0:::
Then people not in the group will not be able to log in. If I have
understood your problem correctly, then this would help (at least until
you find something more elegant).
--> This moment's fortune cookie:
Heuristics are bug ridden by definition. If they didn't have bugs,
then they'd be algorithms.