topic Re: about telnet in Operating System - HP-UX

about telnet

wangmx — Mon, 06 Jun 2005 08:20:53 GMT

how to deny a special user login host from telnet.but allow login from ssh?
thanks!

Re: about telnet

Steven E. Protter — Mon, 06 Jun 2005 08:27:36 GMT

You can set up the user ip address in /var/adm/inetd.sec with telnet set to deny and secure shell set to allow.

SEP

Re: about telnet

wangmx — Mon, 06 Jun 2005 08:40:03 GMT

thank your reply so fast.
But I want to allow user,not his ip!

Re: about telnet

Denver Osborn — Mon, 06 Jun 2005 10:04:38 GMT

An easy way might be to add something to his .profile that would check for the existence of an SSH env variable that gets set by ssh. If the var doesn't exist, we can assume it's not ssh and exit... SSH_CLIENT should be set w/ each user's ssh login.

hope this helps,
-denver

Re: about telnet

D Block 2 — Mon, 06 Jun 2005 22:04:56 GMT

The funny thing is, I do not believe there is an "Allow User" for ssh on HP-UX. You must create a list of all user logins for ssh to be Denied. Create the Deny User list in the sshd config file.

Simply, remove the user login that you would like to Allow in this Deny User list.

Re: about telnet

Vibhor Kumar Agarwal — Tue, 07 Jun 2005 03:13:17 GMT

I did a similar thing some time back.

Just write "exit" in the .profile of the user.
Now whenever he will telnet, he will be logged off.

Re: about telnet

Muthukumar_5 — Tue, 07 Jun 2005 03:31:33 GMT

You can deny a special user using /etc/profile as,

if [[ "$LOGNAME" = "splusername" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "$LOGNAME is denied with telnet login"
sleep 2
fi
fi

If you want to control based on specific user from specific IP for using telnet then,

if [[ "$LOGNAME" = "splusername" ]]
then
if [[ $(who -mu | awk '{ print $8 }') = "ip-address" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "$LOGNAME is denied with telnet login"
sleep 2
fi
fi
fi

hth.

Re: about telnet

Muthukumar_5 — Tue, 07 Jun 2005 03:53:40 GMT

Try to put exit 1 after sleep 2 in above script. Then only it will deny users.

You can deny a special user using /etc/profile as,

if [[ "$LOGNAME" = "splusername" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "$LOGNAME is denied with telnet login"
sleep 2
exit 1
fi
fi

If you want to control based on specific user from specific IP for using telnet then,

if [[ "$LOGNAME" = "splusername" ]]
then
if [[ $(who -mu | awk '{ print $8 }') = "ip-address" ]]
then
ps | grep -q 'telnet'
if [[ $? -eq 0 ]]
then
echo "$LOGNAME is denied with telnet login"
sleep 2
exit 1
fi
fi
fi

Re: about telnet

D Block 2 — Tue, 07 Jun 2005 21:55:47 GMT

just thinking of logging herein.. you will want to log to syslog the telnet users and the ssh users.

here's a "gem" to think about from Bill Hassell.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=697894

HP-UX 11.11 uses PAM for all authentication. You can loggin options for ssh in /etc/opt/ssh/sshd_conf. For a normal login, you can add this to /etc/profile:

TTY=$(tty)
RHOST=$(who -muR | awk '{print $NF}')
UID=$(id -ur)
EUID=$(id -u)
RUSER=$(id -un)
logger -t "login-info" -p auth.info "logname=$LOGNAME uid=$UID euid=$EUID tty=$TTY ruser=$RUSER
rhost=$RHOST"

This only writes a syslog message when the user is successful in getting a login.