It would be a tremendous asset for me if I could use NIS + netgroups to
   implement login restrictions on my machine.  The way I'm most familiar
   with is to place "+@name" and "-@name" into the password file, which then
   includes users in the named netgroup from the NIS passwd map.

   Has anybody else done any work on this?  If not, is it be reasonable
   to modify getpwent(3) to do the appropriate thing?

I think this is `reasonable' if we really want to `support' NIS.  I'd
like pwd_mkdb() to collect the + lines in such a way that we don't
have to resort to a linear scan of the pw file, though!