By default, debathena-login and debathena-workstation will configure machines somewhat like a public cluster workstation: any Athena account holder can login locally, while only those users that have local accounts on the system (i.e. those in /etc/passwd) can login remotely. You can reconfigure this as follows:
Edit /etc/security/access.conf, and edit the access controls in it. The comments in the default file are pretty good documentation, but below are some constructs that may be helpful:
# Only root, andersk, and tabbott can log in. -:ALL EXCEPT root andersk tabbott:ALL # Only andersk and tabbott can log in remotely. -:ALL EXCEPT andersk tabbott:ALL EXCEPT LOCAL # Only users in group gsipb can log in. -:ALL EXCEPT gsipb:ALL # Only tabbott and users with local accounts can log in +:nss-local-users tabbott:ALL -:ALL:ALL
Any group which appears in /etc/security/access.conf must either be a local group, or must be marked as an NFS group in Moira (you can mark a Moira group that you own as an NFS group using blanche -N LIST). Also, be aware that changes to the membership of Athena NFS groups take a few hours to take effect.
In setting your security policy, you may find useful the special groups nss-local-users and nss-nonlocal-users, which are the users who have (and don’t have) local accounts on the system.
hesinfo tabbott grplist