https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953100#M116475 Hi Gregory,<BR />Although tcp_wrappers and inetd.sec will allow or restrict networks and hosts, I do not believe they will restrict users on networks or hosts, so as I understand, they won't work for his needs.<BR /><BR />HTH,<BR />Kel Wed, 16 Apr 2003 18:15:45 GMT Kelli Ward 2003-04-16T18:15:45Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953095#M116470 I'm looking to migrate users on a 11i system off of telnet and onto SSH. I am unable to stop the telnetd process, as our production systems require that a generic login be able to access the server. I'm not too worried about this traffic as no sensitive information is being passed over these sessions.<BR /><BR />I fear that asking them nicely not to use telnet will have a limited effect.<BR /><BR />In a nutshell, what I need to do is do is disable telnet for all users except 'menu'. I've looked into slapping some script to kick them off into /etc/profile but I fear that will take effect when they login through ssh as well. I'm unable to find a way to tell the difference between a telnet session and a ssh session in a shell script so I can terminate the connection appropriatly.<BR /><BR />Thanks in advance (and please excuse my abhorrent spelling)<BR />Bruce Wed, 16 Apr 2003 15:45:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953095#M116470 Bruce Link 2003-04-16T15:45:50Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953096#M116471 Bruce<BR /><BR /><BR />In a script pick up the process id and its parent id and if parent telnd then exit.<BR /><BR />Just an idea.<BR /><BR />Paula Wed, 16 Apr 2003 15:50:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953096#M116471 Paula J Frazer-Campbell 2003-04-16T15:50:34Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953097#M116472 Bruce,<BR /><BR />You get an A+ for spelling! Not a single mistake.<BR /><BR /><BR />Pete Wed, 16 Apr 2003 15:51:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953097#M116472 Pete Randall 2003-04-16T15:51:23Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953098#M116473 man on inetd.sec.<BR /><BR />you can configure /var/adm/inetd.sec file to allow only the specific ipadress to access ftp,telnet,rlogin etc. You can configure for entire subnet or perticular ip.<BR /><BR />Good luck<BR /><BR />-USA.. Wed, 16 Apr 2003 15:51:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953098#M116473 Uday_S_Ankolekar 2003-04-16T15:51:45Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953099#M116474 Bruce,<BR /><BR />Being relatively new to Unix I could be wrong on this, but couldn't you use TCP Wrappers and then deny all in the hosts.deny file. <BR /><BR />You could have the telnet process running but no one could access it.<BR /><BR />Regards,<BR />Greg Wed, 16 Apr 2003 17:28:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953099#M116474 Gregory Lee_1 2003-04-16T17:28:18Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953100#M116475 Hi Gregory,<BR />Although tcp_wrappers and inetd.sec will allow or restrict networks and hosts, I do not believe they will restrict users on networks or hosts, so as I understand, they won't work for his needs.<BR /><BR />HTH,<BR />Kel Wed, 16 Apr 2003 18:15:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953100#M116475 Kelli Ward 2003-04-16T18:15:45Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953101#M116476 Hi Bruce,<BR /><BR />Yes, you CAN do this with tcp_wrappers.<BR /><BR />First - set up the hosts.deny as follows<BR /><BR />telnetd : ALL<BR /><BR />Then - set up the hosts.allow as follows<BR /><BR />telnetd : menu@ALL<BR /><BR />Of course this does nothing about FTP, rlogin, finger, etc. But you can tailor the files to cover those as well or use inetd.sec to limit those in addition. And you could limit the user menu to a specific host or subnet<BR /><BR />telnetd : menu@host1 <BR />telnetd : menu@128.1.1<BR /><BR />HTH,<BR />Jeff<BR /><BR />P.S. Sorry Kel...had to set the record straight. Wed, 16 Apr 2003 18:39:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953101#M116476 Jeff Schussele 2003-04-16T18:39:20Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953102#M116477 No Problem,<BR />I don't use tcp_wrappers all that much.<BR />Can you use user@ with inetd.sec?<BR />Never seen it in the man pages, didn't think you could.<BR />If not, I think it should be added, that's a usable tool.<BR />Thanks for the info.<BR />Kel Thu, 17 Apr 2003 13:12:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953102#M116477 Kelli Ward 2003-04-17T13:12:42Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953103#M116478 Hi Kel,<BR /><BR />AFAIK only tcp_wrappers has this functionality - you're correct, inted.sec does not.<BR /><BR />Rgds,<BR />Jeff<BR /><BR />P.S. The new hat looks good on you. Purple must be your color. Thu, 17 Apr 2003 13:20:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953103#M116478 Jeff Schussele 2003-04-17T13:20:45Z https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953104#M116479 I found this question interesting, because I am trying to do a similar function. I have need to disable telnetd specifically for one user. I want the user to have access to ftp and they must have full access to their startup files, i.e, /etc/profile, .profile, etc.<BR /><BR />I loaded the tcp_wrappers for 11.0 from the "dspp" page. Seems to have loaded ok.<BR /><BR />However, I cannot get the /etc/hosts.allow or the /etc/hosts.deny to act as I wish. I have read the hosts_access man pages...I thought things were pretty clear, but, I can't seem to deny telnetd to a specific user.<BR /><BR />This is my entry in the hosts.deny (I have no host.allow):<BR />telnetd: myuserid@ALL<BR /><BR />(I'm really looking for a function like the /etc/securetty --- the root only deny mechanism).<BR /><BR />Any help would be appreciated. Thu, 12 Jun 2003 20:13:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/disalbing-telnet-for-specific-users/m-p/2953104#M116479 Jim Krol 2003-06-12T20:13:20Z