[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference irocz::netrider

Title:	NetRider --- Remote Network Access Conference
Notice:	Please use keywords! See Note 2 for Directory of Important Notes
Moderator:	LAVC::CAHILLON

Created:	Tue Jan 24 1995
Last Modified:	Mon Jun 02 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	554
Total number of notes:	2264

550.0. "HOST authentication, but access for only certain accounts" by SANITY::LEMONS (And we thank you for your support.) Thu May 22 1997 11:36

    Hi
    
    I'd like to use HOST authentication by installating a DRAS server on a
    Windows NT Server V4.0 system.  I want the NAS server to use its DRAS
    client to verify the domain\username and password on the DRAS
    server/Windows NT Server system.  But can it do more?  We have many
    users at my site who have access to NT resources at work, but whose
    managers do not want them to have access from home.  Can I use DRAS to,
    not only look at the HOST authorization database to match
    username/password, but to allow access only if a specific value is set
    for that use in the HOST authorization database?
    
    What I'm trying to prevent is the creation of a separate DRAS database
    with records for every user on site.  I know of changes in the next
    DRAS release that will GREATLY improve my chances of doing this.  But I
    do need to go this extra distance, and allow/disallow access to some
    users who do have legitimate HOST access.
    
    Any thoughts on how I can do this?  Or does it require a new feature in
    DRAS?
    
    Thanks
    tl

T.R Title User Personal
Name Date Lines

550.1 What in the host authorization database would you use? twick.nio.dec.com::PETTENGILL mulp Fri May 23 1997 00:04 15

T.R	Title	User	Personal Name	Date	Lines
550.1	What in the host authorization database would you use?	twick.nio.dec.com::PETTENGILL	mulp	`Fri May 23 1997 00:04`	15
	I suppose on VMS you could use the DIALUP restriction by day/time, but what would you use on unix since NIS provides very little beyond what is in the /etc/passwd file. (Scaling problems in unix's "enhanced security" make using that with NIS something that system managers don't want to do.) It seems to me that it would be far easier to develop a web interface to the VMS DRAS$MANAGER CLI interface that would allow system maangers to grant each user access, or perhaps a mail interface where you filled in a form and mailed it to an automaton, then to somehow get all the various O/S flavors and versions to have something that could be used as a flag. I'm sure that you would agree that there's no hope of getting all operating systems to have a specific feature to support what you want in a reasonable time frame, ie., less that about 50 years.

I suppose on VMS you could use the DIALUP restriction by day/time, but
what would you use on unix since NIS provides very little beyond what
is in the /etc/passwd file.  (Scaling problems in unix's "enhanced security"
make using that with NIS something that system managers don't want to do.)

It seems to me that it would be far easier to develop a web interface to
the VMS DRAS$MANAGER CLI interface that would allow system maangers to
grant each user access, or perhaps a mail interface where you filled in a
form and mailed it to an automaton, then to somehow get all the various O/S
flavors and versions to have something that could be used as a flag.

I'm sure that you would agree that there's no hope of getting all operating
systems to have a specific feature to support what you want in a reasonable
time frame, ie., less that about 50 years.