topic Re: why it doesnt work? in Operating System - HP-UX

why it doesnt work?

thebeatlesguru — Fri, 22 Feb 2002 02:25:27 GMT

http://ussupport2.external.hp.com/cki/bin/doc.pl/sid=e717c00a0d699871b1/screen=ckiDisplayDocument?docId=200000051899524
in this passage,it says:
For Bourne and POSIX shells, add the following to /etc/profile:

#unsupported statements to prevent users from login but allow su.
name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
exit
fi
#end

however i add it to my /etc/profile,but it doesnt work,what's wrong?
following is :
name=`logname`
if [ $name = pin2 ]
then
echo " $name not allowed to login..only su"
exit
fi

Re: why it doesnt work?

Ron Kinner — Fri, 22 Feb 2002 02:32:34 GMT

Perhaps pin2 should be "pin2" ?

Ron

Re: why it doesnt work?

Steven Sim Kok Leong — Fri, 22 Feb 2002 02:36:17 GMT

Hi,

Replace logname with id -un and add the double quotes on $name to be sure.

name=`id -un`
if [ "$name" = "pin2" ]
then
echo " $name not allowed to login..only su"
exit
fi

Hope this helps. Regards.

Steven Sim Kok Leong

Re: why it doesnt work?

Kenny Chau — Fri, 22 Feb 2002 02:42:00 GMT

Well, I should say to use ". ie.

if [ "$name" = "pin2" ]

Hope this helps.
Kenny.

Re: why it doesnt work?

thebeatlesguru — Fri, 22 Feb 2002 03:04:36 GMT

now i rewrite it and add to etc/profile:
name=`id -un`
if [ "$name" = "pin2" ]
then
echo " $name not allowed to login..only su"
exit
fi

but it still doesnt work ,i still could use pin2 to login

Re: why it doesnt work?

Steven Sim Kok Leong — Fri, 22 Feb 2002 03:11:17 GMT

Hi,

Tested to work fine for me.

Insert this statement in your /etc/profile right before the loop starts:

echo The login user is `id -un`

What does it show when pin2 logs in?

Hope this helps. Regards.

Steven Sim Kok Leong

Re: why it doesnt work?

Steven Sim Kok Leong — Fri, 22 Feb 2002 03:15:02 GMT

Hi,

In other words:

echo The login user is `id -un`
name=`id -un`
if [ "$name" = "pin2" ]
then
echo " $name not allowed to login..only su"
exit
fi

When you test pin2, you will see the printed output:

The login user is ...

What is printed there?

Hope this helps. Regards.

Steven Sim Kok Leong

Re: why it doesnt work?

thebeatlesguru — Fri, 22 Feb 2002 03:27:45 GMT

5555
maybe i didnt understand this script correctly

following is my understanding:
unix server:A,B
i add that script to B'/etc/profile,so it means that when i telnet B from A ,and when i
input pin2 in login,it will not allow me to input passwd.

isnt it?

Re: why it doesnt work?

Kenny Chau — Fri, 22 Feb 2002 03:32:03 GMT

I had tested it too and it really works. Just want to know the message " pin2 not allowed to login...only su " had appeared or not. If not, there is something wrong in the if-then-fi statement.

Hope this helps.
Kenny.

Re: why it doesnt work?

Deepak Extross — Fri, 22 Feb 2002 03:32:46 GMT

That's not how it works..
/etc/profile will be called only after successful login. Which means that you will ahve to enter your login name & password.
Then, if your login name if "pin2", you will be thrown out immediately.
You are specifying "pin2" at the login: prompt, right?

Re: why it doesnt work?

Steven Sim Kok Leong — Fri, 22 Feb 2002 03:35:09 GMT

Hi,

When you telnet from system A to system B, system B will still prompt you for the password before "kicking" you out from system B.

/etc/profile is read upon successful login.

If you do not want the login prompt to be even shown, then you should use /var/adm/inetd.sec (on system B) to restrict the IP addresses (ie. system A fixed IP) that can telnet to system B

Hope this helps. Regards.

Steven Sim Kok Leong

Re: why it doesnt work?

Kenny Chau — Fri, 22 Feb 2002 03:36:18 GMT

Well, as what I understand here, you still need to input the password when you telnet B from A after you put that script in the .profile. However, after you input the password, it will not show the prompt and it will show the messages "pin2 not allowed to login...only su" and then logout.

Hope this helps.
Kenny.

Re: why it doesnt work?

Steven Sim Kok Leong — Fri, 22 Feb 2002 03:39:10 GMT

Hi,

Just an additional note that by restricting telnet via IP addresses in /var/adm/inetd.sec, you will block all userids from system A, in addition to pin2.

I would say that it is still safe to allow the user to be prompted for password and then get kicked out from /etc/profile.

If you don't like this, the workaround is to create a trust relationship either using SSH (ie. authorized_keys)or .rhosts (insecure) so that the user will not be prompted for login from system A and still get kicked out from /etc/profile (which has traps within which the user cannot break out ie. ctrl-c).

Hope this helps. Regards.

Steven Sim Kok Leong

Re: why it doesnt work?

Kenny Chau — Fri, 22 Feb 2002 03:46:20 GMT

If you just want to restrict a user to login to a particular machine, you can modify the /etc/passwd file to change the password field of that user to an "*" so that user cannot login but can be su.

Hope this helps.
Kenny.

Re: why it doesnt work?

Steven Sim Kok Leong — Fri, 22 Feb 2002 03:50:26 GMT

Hi,

I agree with Kenny's method. I think changing the passwd field in /etc/passwd is the cleaniest solution to your requirements.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: why it doesnt work?

thebeatlesguru — Fri, 22 Feb 2002 04:18:18 GMT

well ,i see all you mean,but now i could login with pin2 and dont kick out from /etc/profile.

i tested a shell x:name=`id -un`
if [ "$name" = "pin2" ]
then
echo " $name not allowed to login..only su"
exit
fi

when i use pin2 to test x,it show
pin2 not allwed to login..only su
but pin2 doesnt exit

Re: why it doesnt work?

Kenny Chau — Fri, 22 Feb 2002 04:32:28 GMT

As what I understand, if you test X in a shell script even with pin2 as the login ID, it will of course did not exit the session because the line "exit" will only exit the shell script but not the telnet session. If you put that in the .profile, it will exit the login (as I had tested it before).

Hope this helps.
Kenny.

Re: why it doesnt work?

thebeatlesguru — Fri, 22 Feb 2002 04:49:42 GMT

i find something so stranger:
when i use root to login:
it show:The login user is root

but when i use pin2 to login
it dosent show the message.

another thing i wanna know,when i login with pin2,system call which profile?
/etc/profile or /home/pin2/.profile?

Re: why it doesnt work?

Patrick Wallek — Fri, 22 Feb 2002 04:51:41 GMT

Are you sure of the shell for the pin2 id? It sounds like the shell it is using is the wrong one to call /etc/profile. Can you post the entry from your /etc/passwd file for the pin2 user id?

Re: why it doesnt work?

thebeatlesguru — Fri, 22 Feb 2002 05:03:16 GMT

you are right pin2:iLuWY44UDTQSk:1102:1008:,,,:/home/pin2:/usr/bin/csh
root is sbin/sh

i didnt notice it.
now ,what should i do