topic Re: Disable telnet enable ssh in Operating System - HP-UX

Disable telnet enable ssh

twtandigi.com.my — Fri, 30 Jul 2004 05:44:48 GMT

hi,

i am currently using hp-ux 11.00 and have this set-back.

i would like to enquire about
1)how do i enable ssh to allow only users to access the system and not the root account to enter the system?
2)how can i disable telnet function on the HP-UX 11.00 system and enable ssh instead?

Regards,
Calvin

Re: Disable telnet enable ssh

Jose Mosquera — Fri, 30 Jul 2004 06:00:36 GMT

Hi,

To avoid that users can not do "su - root" from system prompt, add in the /etc/defaul/security file the following line:
SU_ROOT_GROUP=

Where wil be a group of users defined into /etc/group that can execute "su - root", if only root user belong at this group nobody more can done the command.

Other way could be the /etc/securetty file, where indicate the valid devices (tty's or console) to allow root's logings.

Telnet is a service, and ssh is a command interpreter, both of them are complementary and not excluding. You could change a standar command interpreter by secure shell (ssh), but all of them always needs telnet services, at least on LAN environments.

Rgds.

Re: Disable telnet enable ssh

Alexander M. Ermes — Fri, 30 Jul 2004 06:10:07 GMT

Hi there.
In the /etc/inetd.conf you can disable the telnet line ( # in front of it ).
Rgds
Alexander M. Ermes

Re: Disable telnet enable ssh

Jose Mosquera — Fri, 30 Jul 2004 06:17:34 GMT

Hi again,

In any case, if you need restric the telnet service you can configure the /var/adm/inetd.sec file. For detail pls "man inetd.sec". Also other services like ftp, rmsh/rcp can be restricted by this file.

Rgds.

Re: Disable telnet enable ssh

Fabio Ettore — Fri, 30 Jul 2004 06:20:59 GMT

Hi,

in order to disable telnet you have to comment out the line of telnet service in /etc/inetd.conf:
# telnet stream tcp nowait root /usr/lbin/telnetd telnetd

About ssh: you should be able to use it just after the installation of the ssh package. Sincerely I don't know if it is possible to deny root access and permit other users.
I think /var/adm/inetd.sec wher you can deny ssh service by IP address/hostnames but it is not possible by usernames.

Best regards,
Fabio

Re: Disable telnet enable ssh

sparky_2 — Fri, 30 Jul 2004 06:21:21 GMT

1) sorry - not too familiar with the user authentication side of the product
2) you can disable the telnet function by putting the following line in /var/adm/inetd.sec:
telnet deny
Enabling ssh is part of the installation process whereby you need to authenticate each each remote host on the local server and copy the authorized_keys file into the .ssh directory of each remote host. The product should come with full installation guides I think.

Re: Disable telnet enable ssh

Muthukumar_5 — Fri, 30 Jul 2004 06:30:52 GMT

IF you want to totally disble telnet then comment (#) telnetd entry in /etc/inetd.conf file. But it is not good to test the services and login into machines those who are not having ssh

So why do not you try to block the users to use telnet with inetd.sec file. Give ip-address or hostname in that file and block them to use telnet.

To make the users to use with user accounts to login only, create a file as

echo "console" > /etc/securetty

login security will be in effect now.

See login man page to know securetty more

Re: Disable telnet enable ssh

Jan Sladky — Fri, 30 Jul 2004 06:39:24 GMT

hi Calvin,

to disable telnet comment following line in
/etc/inetd.conf

telnet stream tcp nowait root usr/lbin/telnetd telnetd

and

restart inetd by inetd -c

br Jan

Re: Disable telnet enable ssh

Muthukumar_5 — Fri, 30 Jul 2004 06:39:49 GMT

Change the permission of /etc/securetty file to 600 so that users cannot change the one.

And more SU_ROOT_GROUP parameter will not be helpful to stop the root logins. It will be used to stop the users to use su to promote as users.

To block root logins using ssh, tune

PermitRootLogin=0 on sshd_config file

Re: Disable telnet enable ssh

Gary L. Paveza, Jr. — Fri, 30 Jul 2004 06:43:22 GMT

To disable telnet:

Modify /etc/inetd.conf. Put a # infront of the line that starts with telnet.

If implementing ssh you may also want to disable the r-commands (rlogin, remsh, etc) since ssh is a replacement for these as well. The valid lines are login (for rlogin), shell (for remsh), and exec.

FTP as well though this may be more difficult if you use ftp from a PC which does not support sftp or scp.

Once you make these changes, you need to have inetd re-read it's configuration file.

Send it a SIGHUP command or issue the command inetd -c to get it to reread it's configuration.

To prevent direct login via ssh, you need to modify the /opt/ssh/etc/sshd_config script. Make sure there is a line that says PermitRootLogin no is not commented. You will need to restart ssh (/sbin/init.d/secsh stop, /sbin/init.d/secsh start)