topic Re: Users restriction? in Operating System - HP-UX

Users restriction?

ashwin — Sat, 18 Nov 2000 03:54:32 GMT

hello all,
What are the diifferent ways to restrict users to log on to the system from a specific 'tty'.
eg. user--> should log from tty /dev/pty3 only.

Re: Users restriction?

Paula J Frazer-Campbell — Sat, 18 Nov 2000 11:52:04 GMT

Hi

This may help for root
If the /etc/securetty file is present, login security is in effect.
Only user root is allowed to log in successfully on the ttys listed in
this file. Restricted ttys are listed by device name, one per line.
Valid tty names are dependent on installation. An example is
console
tty01

To control a user to a specificy tty you can put a short scrip in their .profile to pick up their tty and if no match to tty in .profile throw a exit at them, this has the ability to allow a user a range of login ttys.

See man login

HTH

Paula

Re: Users restriction?

Bill Hassell — Sun, 19 Nov 2000 20:21:49 GMT

While you can certainly modify /etc/profile to restrict access by user name, time of day, number of logins allowed per user, terminal port and so on, network logins are a bit more complicated. Your example of a pty login, while possible to test, will likely be of no use as pty ports are assigned not by the requestor but as needed by the system.

Thus, for any given login, the pty (now more likely, a streams pts device file) assigned will be essentially unpredictable.

However, you can certainly test for the name or IP address of the incoming device using who -mur.

Re: Users restriction?

Tommy Palo — Mon, 20 Nov 2000 10:21:27 GMT

If you can get hold of the IP-address instead you could use /var/adm/inetd.sec to control access.

Re: Users restriction?

ashwin — Wed, 22 Nov 2000 02:43:46 GMT

thanks to all,
But what are other ways to restrict pertoculer user to login from /dev/tty3 other than putting a script in .profile.

thankx once again to all.

Re: Users restriction?

Bill Hassell — Wed, 22 Nov 2000 03:04:27 GMT

As mentioned, there is no way to predict what tty device the user will have. However, the concept is simple. Put the test in /etc/profile (.profile is under control of the user). The test for the user ID and terminal as well as the incoming hostname or IP address can be combined in one command:

who -muR

Extract the fields like this:

echo $(/usr/bin/who -muR) | awk '{print $1," " ,$2," ",$NF}' | read MYUID MYTTY MYPORT

Now test $MYUID and $MYTTY or $MYPORT. If they don't meet your criteria, then just exit from /etc/profile (with an appropriate message).