topic Re: restricting loings based on username in Operating System - HP-UX

restricting loings based on username

Amit Dixit_2 — Tue, 21 Sep 2004 02:55:09 GMT

Hi,
I want to restrict login based on the
username.

i.e I want to restrict logins/telnet from
network for all except root and mylogin.

How can I do that also I want to restrict
ftp services as well.

Thanks
Amit

Re: restricting loings based on username

Bharat Katkar — Tue, 21 Sep 2004 03:01:32 GMT

HI Amit,
You can restrict telnet/ftp in /var/adm/inetd.sec file. See man inetd.sec.
Also you can restrict it at network/hostname level but doubt if it is possible with Usernames.
You can use you machine IP and allow it and deny for everbody else.
Regards,

Re: restricting loings based on username

R. Sri Ram Kishore_1 — Tue, 21 Sep 2004 03:06:36 GMT

Hi Amit,

Take a look at this thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=700431

HTH.
Regards,
Sri Ram

Re: restricting loings based on username

Franky_1 — Tue, 21 Sep 2004 03:11:44 GMT

Hi,

you can restrict the ftp / telnet login in general using /var/adm/inetd.sec file or
/etc/ftpd/ftpusers for ftp and
/usr/bin/false as shell to prohibit telnet login

Regards

Franky

Re: restricting loings based on username

R. Sri Ram Kishore_1 — Mon, 16 Sep 2024 09:20:47 GMT

Hi again,

Check these out as well:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=94744
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=93455

HTH.
Regards,
Sri Ram

Re: restricting loings based on username

Muthukumar_5 — Tue, 21 Sep 2004 03:12:58 GMT

We can not use inetd.sec file userbased administration on login service.

We can do it with profile file as,

if [[ $LOGNAME != "root" || $LOGNAME != "mylogin" ]]
then

if [[ $(ps | grep -q telnetd) -eq 0 || $(ps | grep -q logins) -eq 0 ]]
then

echo "Telnet service to $LOGNAME is denied. Contact admin now"
sleep 3
exit 1

fi
fi

2. We can restrict ftp based on users with ftpusers file there.

See man ftpusers

Re: restricting loings based on username

Muthukumar_5 — Tue, 21 Sep 2004 03:29:49 GMT

We can not use inetd.sec file, because it will be operated based on ip-address / network there. So one feasible way is to control users with the username and login service name on the /etc/profile there. So that every login will use that file to login and we can control there.

ftp service restriction will be good and easy with ftpusers file right there.

Refer this link for mroe,
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=664925

Re: restricting loings based on username

Robert Fritz — Wed, 22 Sep 2004 10:31:53 GMT

I would recommend not using /etc/profile or .profile scripts to control logins. Shells have escape and meta characters that users can use to interfere with the operation of the script.

I guess I'm wondering, if you don't want the users logging in, why you can't just make their login shell /usr/bin/false(for logins, not ftp) or put a "*" in their /etc/password entry. If you chroot your ftp, then make sure you either use the ftpusers file or put a "*" in the chrooted /etc/password too.

If you want more granular control, like expiration, number of simultaneous users, etc, check out /etc/default/security. It's got a bunch of stuff.

Re: restricting loings based on username

Sundar_7 — Wed, 22 Sep 2004 10:38:21 GMT

Amit,

To restict network logins for the user account, you need to add some code to the /etc/profile that checks the username and kicks off it is not root or your own username.

To restrict ftp based on the login name, you need to create the /etc/ftpd/ftphosts file.

# vi /etc/ftpd/ftphosts
deny user1 *
#

Now the user user1 will not be able to login anywhere from the network.

-- Sundar

Re: restricting loings based on username

Mike Patterson — Wed, 22 Sep 2004 11:24:38 GMT

Some notes I have on this:

(Incidentally, in AIX, just touch /etc/nologin to keep users off system.)

1. One way to keep users from getting a login, etc., is to use allow and deny entries in /var/adm/inetd.sec. You can specifiy a service to allow or deny and put host names or IP addresses to control. See man on inetd.sec.

Example:
telnet deny 10.11-12
telnet allow 10.12.80.67 10.12.80.104
login deny 10.11-12
login allow 10.12.80.67

This example denies anyone from accessing the system by either rlogin (login service) or login (telnet) from the 10.11-12 network. It allows 2 specific IP address for those services.

2. Another easy way to control logins, is to put a function in a menu or /etc/profile that allows quick login, but quickly displays a message and logs the user out. I comment/uncomment this function to quickly control access.

Example function:

function no_access
{
# Allowed users:
OK_TO_LOGIN="root|mp5802"
if [ ! x`echo $LOGNAME | egrep -v $OK_TO_LOGIN` = "x" ]; then
clear
echo ""
echo ""
echo " SYSTEM IS UNAVAILABLE"
echo ""
echo ""
sleep 3
exit
fi
}
# now call the function:
no_access

Re: restricting loings based on username

Montagne_3 — Thu, 23 Sep 2004 17:14:49 GMT

Hi,

You can see TCP Wrappers to restrict access to your host but it is based on ip address or hostname.
With this software you can keep traces of connections and allow / deny access for ftp,telnet services.
It is free.

Laurent