topic Re: Restrict specific user from telnet session with c shell in Operating System - HP-UX

Restrict specific user from telnet session with c shell

shardam — Fri, 21 Sep 2007 04:27:26 GMT

Hi,

I appreciate if someone has encountered to restrict particular user from telnet with c shell. This user must only be used by "su" from the normal users (switch only). I tried to create a script under .cshrc and even from .login but still bypassing it and user can still login directly. The requirements must only restrict this user to login directly by telnet and normal users must do su to this restricted user(telnet). My client is using telnet and they haven't ssh implemented, kinda weird =) as already suggested but still stick to telnet =). Thank you for the sharing of your comments!

Re: Restrict specific user from telnet session with c shell

Aussan — Fri, 21 Sep 2007 08:40:31 GMT

make his shell false

Make the default-shell for the user /usr/bin/false
be sure this is in the /etc/shells file.

Re: Restrict specific user from telnet session with c shell

Tim Nelson — Fri, 21 Sep 2007 08:48:21 GMT

/usr/bin/false for the shell will lock out the direct connection but it will also cause su with a "-" to fail.

Another option mentioned many times in these forums is shutdown telnet and use ssh. the ssh daemon can controll direct logins.

If really adventurous you could play with writing a wrapper around the telnet daemon. i.e. check black list then fire off telnet

Another option is to put the black list check in /etc/profile. At least the users could not circumvent this profile in liue of their own.

pssst....Don't lock yourself off the system while testing..

Re: Restrict specific user from telnet session with c shell

Tim Nelson — Fri, 21 Sep 2007 08:49:25 GMT

One other note. If you wrap the telnetd beware that it would most likely be overwritten with a patch load.

Re: Restrict specific user from telnet session with c shell

Ivan Krastev — Fri, 21 Sep 2007 08:50:42 GMT

Hi Alfredo,

See KB doc "HP-UX telnet - How to Restrict Telnet Access by User" - http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1

There are many examples to restict users.

regards,
ivan

Re: Restrict specific user from telnet session with c shell

Ivan Krastev — Fri, 21 Sep 2007 08:50:52 GMT

Re: Restrict specific user from telnet session with c shell

larsoncu — Fri, 21 Sep 2007 09:18:42 GMT

don't know if this is the suggested doc being i can't read it.

but if the user is su'ing, when you do a who -um it will display the user you login as. therefore if you logged as a different user and su'ed then whoami and who -um will be different. if whoami and who -um are the same you probably telneted in.

could put this in the /etc/login ? (whatever is used by csh) to test the values and don't allow access if they are the same.

Re: Restrict specific user from telnet session with c shell

shardam — Mon, 24 Sep 2007 00:23:34 GMT

Hi All,

Sorry for my delay reply, however:

Aussan, modify shell with /usr/bin/false will disable the user totally even if you will do "su/su -"

Tim, tcp wrapper based from my experience with this service tool, as far as i know it will restrict only the specific users from a certain services/daemons but this can work only to restrict certain hosts,ips/subnets from host.deny/allows files. Take note this user is using csh shell and i dont think it's using /etc/profile (applicable ony with posix/bourne shells) but it's /etc/csh.login, the requirement from this dba user is to restrict direct telnet, I made some script from this user's profile (.cshr/.login) but still bypasing my script.
Is it possible from tct wrapper to restrict certain user to access from daemon/services?

Iva, sorry no access from HP Europe ITRC site but only ASIPAC =) but let me try to register there later. Would appreciate if you can attach from here.

Thanks again for your support but our clients since from the start they already using this logins sevice and most of them implemented in the production systems and already suggested to use ssh instead =(

Re: Restrict specific user from telnet session with c shell

OldSchool — Mon, 24 Sep 2007 09:26:11 GMT

Same doc as above, except America/Asia Pacific site:

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1

Re: Restrict specific user from telnet session with c shell

TY 007 — Mon, 24 Sep 2007 21:39:49 GMT

Hello Alfredo,

Workaround: /var/adm/inetd.sec

Thanks

Re: Restrict specific user from telnet session with c shell

shardam — Tue, 25 Sep 2007 22:04:11 GMT

Hi TY, /var/adm/inetd.sec can not restrict particular user to deny from telnet login sessions but can only work to allow/deny certain address/hosts from services.

Has anyone encountered this same concern of mine, restricting user with c shell to deny direct login from telnet session but su is enable from it? Highest points will be rewarded =)

Re: Restrict specific user from telnet session with c shell

shardam — Wed, 26 Sep 2007 01:33:05 GMT

Hi sorry to mention about tcp wrapper that this can able to deny specific user from service being use but this can only restrict certain hosts/ips based from host.allow/deny.

Re: Restrict specific user from telnet session with c shell

AwadheshPandey — Wed, 26 Sep 2007 02:27:58 GMT

http://www.cites.uiuc.edu/wsg/resources/security/hpux.html#login
http://www.blacksheepnetworks.com/security/resources/sec_HPUX.html
here is a good thing for you. try it it should work.
http://www.brandonhutchinson.com/restricting_user_access.html

cheers.

Re: Restrict specific user from telnet session with c shell

OldSchool — Wed, 26 Sep 2007 12:06:43 GMT

alfredo,

as noted above, you will need to look at the difference between what "who am i" and "whoami" return. "whoami" will return the id of the current effective user (the one you su'd to), while "who am i" will return the id you came from.

if the result of "whoami" is a user that should not telnet directly, you then need to check if the user returned by "who am i" is different. If not, block the login, if so they can proceed. The logic itself should probably go in /etc/csh.login. Note that you will then have to maintain the list of prohibitted users somewhere.

As to the actual code to do that, you're on your own, as I haven't seen a csh script in years.

Unless there are overwhelming reasons not to, users of csh should consider moving to other shells like /bin/sh (posix), /usr/bin/ksh, bash or others. You might look at:

http://www.faqs.org/faqs/unix-faq/shell/csh-whynot

for more info.

Re: Restrict specific user from telnet session with c shell

shardam — Thu, 27 Sep 2007 01:18:10 GMT

Hi Oldschool,

Thank you very much for the idea of difference between these whoami/who am i, as I finally created one simple script under c shell and appended this to .login of the profile of each restricted users and it was successfully work. The users are now restricted thru direct login of telnet/even ssh and can only login from su/su - from normal users. Again, thanks to all ;-)

Regards,
Alfred

Re: Restrict specific user from telnet session with c shell

OldSchool — Thu, 27 Sep 2007 10:23:26 GMT

You're welcome Alfredo, although the credit should go to "larsoncu" as he had suggested it in a post earlier in this thread.

also, please award points and close thread if the issue has been resolved.

see: http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Re: Restrict specific user from telnet session with c shell

shardam — Mon, 01 Oct 2007 04:23:23 GMT

Thanks again, guys!