Thanks for the info. A similar solution to what you suggest is netgroups, or so I’m told. The groups exist within the directory rather than on the local machines.

In my case though it’s not quite how you describe. Each machine points at a separate OU in the LDAP directory. So we can control which accounts can access which machines using our central host management system.

The problem I’m solving is the case where the user account does need to go on the machine (eg. it could be a Samba server), but the user shouldn’t be able to log in.

Using the method you describe would work, but would require additional groups to be created and managed (and there’s an annoying limit on the number of groups an individual can belong to with NFS). Groups in our setup are not currently managed by the central system either.

The route I’ve chosen works using the password field sent by the management system, which we can control centrally. And my LDAP management code can then lock out (or unlock) an account on the LDAP server without ever touching the end system.

Thanks for your comments though, it’s useful to know about other solutions. And it’s refreshing to get a non-spam comment

In GNU/Linux there exists a different approach than the one you have suggested for Solaris/FreeBSD. You can use the pam module pam_access which will then allow you to deny groups of users to logon:

http://blog.evad.info/2008/11/27/manage-access-to-your-linux-systems-via-groups-pam_access/

Sadly Solaris lacks an equivallent to pam_access, such that many people port Linux PAM’s pam_access to Solaris. I don’t believe there is an equivallent under FreeBSD either.

Once you place pam_access in your PAM stack (under “account”) you can use one configuration file in /etc/security/ and you’re done. The security file will remind you how how compat mode used to work in /etc/passwd in the days of NIS. You simply prefix the lines with “-” to deny and “+” to allow.

I hope this is helpful to you, however given its a Linux specific “innovation” which has not been replicated to other free operating systems its usefulness to you is probably limited. This, at any rate, is probably why pam_unix on Linux PAM is less useful than its cousins.

Of course, this should work with external authentication even if “auth” isn’t being consulted because “account” should still be consulted by the SSH Daemon (or some other access system). Let me know if you find a better solution, right now I’m still using NIS at work (shudder) so the problem does not yet exist for us.