HPE Community
Operating System - HP-UX
1753449 Members
6565 Online
108794 Solutions
New Discussion юеВ

Re: Restrict specific user from telnet session with c shell

 
SOLVED
Go to solution
shardam
Frequent Advisor

тАО09-20-2007 09:27 PM

тАО09-20-2007 09:27 PM

Restrict specific user from telnet session with c shell

Hi,

I appreciate if someone has encountered to restrict particular user from telnet with c shell. This user must only be used by "su" from the normal users (switch only). I tried to create a script under .cshrc and even from .login but still bypassing it and user can still login directly. The requirements must only restrict this user to login directly by telnet and normal users must do su to this restricted user(telnet). My client is using telnet and they haven't ssh implemented, kinda weird =) as already suggested but still stick to telnet =). Thank you for the sharing of your comments!
0 Kudos
Reply
16 REPLIES 16
Aussan
Respected Contributor

тАО09-21-2007 01:40 AM

тАО09-21-2007 01:40 AM

Re: Restrict specific user from telnet session with c shell

make his shell false

Make the default-shell for the user /usr/bin/false
be sure this is in the /etc/shells file.

The tongue weighs practically nothing, but so few people can hold it
0 Kudos
Reply
Tim Nelson
Honored Contributor

тАО09-21-2007 01:48 AM

тАО09-21-2007 01:48 AM

Re: Restrict specific user from telnet session with c shell

/usr/bin/false for the shell will lock out the direct connection but it will also cause su with a "-" to fail.

Another option mentioned many times in these forums is shutdown telnet and use ssh. the ssh daemon can controll direct logins.

If really adventurous you could play with writing a wrapper around the telnet daemon. i.e. check black list then fire off telnet

Another option is to put the black list check in /etc/profile. At least the users could not circumvent this profile in liue of their own.

pssst....Don't lock yourself off the system while testing..
0 Kudos
Reply
Tim Nelson
Honored Contributor

тАО09-21-2007 01:49 AM

тАО09-21-2007 01:49 AM

Re: Restrict specific user from telnet session with c shell

One other note. If you wrap the telnetd beware that it would most likely be overwritten with a patch load.
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО09-21-2007 01:50 AM

тАО09-21-2007 01:50 AM

Re: Restrict specific user from telnet session with c shell

Hi Alfredo,

See KB doc "HP-UX telnet - How to Restrict Telnet Access by User" - http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1


There are many examples to restict users.


regards,
ivan
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО09-21-2007 01:50 AM

тАО09-21-2007 01:50 AM

Re: Restrict specific user from telnet session with c shell

Hi Alfredo,

See KB doc "HP-UX telnet - How to Restrict Telnet Access by User" - http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1


There are many examples how to restrict users.


regards,
ivan
0 Kudos
Reply
larsoncu
Advisor

тАО09-21-2007 02:18 AM

тАО09-21-2007 02:18 AM

Solution

Re: Restrict specific user from telnet session with c shell

don't know if this is the suggested doc being i can't read it.

but if the user is su'ing, when you do a who -um it will display the user you login as. therefore if you logged as a different user and su'ed then whoami and who -um will be different. if whoami and who -um are the same you probably telneted in.

could put this in the /etc/login ? (whatever is used by csh) to test the values and don't allow access if they are the same.
Reply
shardam
Frequent Advisor

тАО09-23-2007 05:23 PM

тАО09-23-2007 05:23 PM

Re: Restrict specific user from telnet session with c shell

Hi All,

Sorry for my delay reply, however:

Aussan, modify shell with /usr/bin/false will disable the user totally even if you will do "su/su -"

Tim, tcp wrapper based from my experience with this service tool, as far as i know it will restrict only the specific users from a certain services/daemons but this can work only to restrict certain hosts,ips/subnets from host.deny/allows files. Take note this user is using csh shell and i dont think it's using /etc/profile (applicable ony with posix/bourne shells) but it's /etc/csh.login, the requirement from this dba user is to restrict direct telnet, I made some script from this user's profile (.cshr/.login) but still bypasing my script.
Is it possible from tct wrapper to restrict certain user to access from daemon/services?

Iva, sorry no access from HP Europe ITRC site but only ASIPAC =) but let me try to register there later. Would appreciate if you can attach from here.

Thanks again for your support but our clients since from the start they already using this logins sevice and most of them implemented in the production systems and already suggested to use ssh instead =(
0 Kudos
Reply
OldSchool
Honored Contributor

тАО09-24-2007 02:26 AM

тАО09-24-2007 02:26 AM

Re: Restrict specific user from telnet session with c shell

Same doc as above, except America/Asia Pacific site:


http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1
0 Kudos
Reply
TY 007
Honored Contributor

тАО09-24-2007 02:39 PM

тАО09-24-2007 02:39 PM

Re: Restrict specific user from telnet session with c shell

Hello Alfredo,

Workaround: /var/adm/inetd.sec

Thanks




0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.