topic Re: Telnet restriction in Operating System - HP-UX

Telnet restriction

CHRIS QUINN — Thu, 21 Mar 2002 10:29:36 GMT

I need to restrict a user from telneting to other servers (this user dials into the server).
He needs to retain access to ftp and will be allowed to transfer files from his PC.
The server he dials into sits on a network with over 200 Nt and Unix servers so I need a solution that I can apply on the server he dials into, one solution would be to alias telnet etc in his profile, but as he is allowed to ftp files to the server this cannot guarantee he will not ftp a version of telnet from his own PC, name it fred and use this to telnet out of the server.
Has anyone any other solutions?

Re: Telnet restriction

G. Vrijhoeven — Thu, 21 Mar 2002 10:57:02 GMT

Hi,

You can provide the user with a change root env. and only link the commands he is allowed to use ore create a menu that provide the user with the commands he needs to use.

Hope this will help,

Gideon

Re: Telnet restriction

CHRIS QUINN — Thu, 21 Mar 2002 12:21:26 GMT

Although linking would work! the only restriction for the user would be telnet, rlogin etc, so linking all the other commands would be impractical.
Thanks anyway

Re: Telnet restriction

Clemens van Everdingen — Thu, 21 Mar 2002 12:26:41 GMT

Hi,

It might be a solution to create a hosts.allow file and put his ip address in there with ftp.

C.

Re: Telnet restriction

K.Vijayaragavan. — Thu, 21 Mar 2002 13:54:42 GMT

Hi,

As he may telnet from his PC, and if his PC has got a fixed IP, then you can edit the "/var/adm/inetd.sec" file and add and entry,

"telnet deny

-Vijay

Re: Telnet restriction

Ron Kinner — Thu, 21 Mar 2002 15:27:50 GMT

If you change the default ftpd mask from 027 with the ftpd -u option and alias away both chmod and telnet then he could upload fred but couldn't run it. Except that I see that HP has a non-standard SITE option on ftp which allows him to chmod and mask. Anyway to disable that?

Ron

Re: Telnet restriction

Steve Darnell — Fri, 22 Mar 2002 00:37:48 GMT

I am skeptical about the idea of aliasing away the telnet command.
For this to work, you would also have to alias /usr/bin/telnet, /usr/bin/./telnet, etc.

Re: Telnet restriction

Ron Kinner — Fri, 22 Mar 2002 03:59:23 GMT

How about replacing the telnet command for this guy with:

echo "You're Fired!" ;-)

Ron

Re: Telnet restriction

Scott Van Kalken — Fri, 22 Mar 2002 04:25:06 GMT

if all he needs is ftp then set his shell to be /usr/bin/ftp.