topic Re: how restrict any user from logging remotely ? in Operating System - HP-UX

how restrict any user from logging remotely ?

PUJOL Gregory — Tue, 02 Oct 2001 11:15:48 GMT

Hi,

On HP-UX V10.20, how can I restrict any user from logging remotely ?
I would like that the only way to connect as this "restriced user" is :
- on the console ;
- by "su" from "non-restricted user".

Thanks
GRP

Re: how restrict any user from logging remotely ?

Torsten. — Tue, 02 Oct 2001 11:35:27 GMT

Hello,

you can find information about this in
man hosts.equiv (for rlogin configuration) or
man inetd.sec (for telnet/ftp access).
Another way to configure user access is to use SAM:

sam Areas->Networking and Communication->System Access

Hope this helps

Torsten

Re: how restrict any user from logging remotely ?

Santosh Nair_1 — Tue, 02 Oct 2001 11:39:02 GMT

I've been able to do this by modifying the /etc/profile so that it check if someone is trying to log in directly as the restricted user and if so, issue an error message and exit.

The way to check if the user is logging in directly is to see the parent process of the shell, it should be another shell and not rlogind or telnetd. I can post my script if you'd like.

-Santosh

Re: how restrict any user from logging remotely ?

Bernie Vande Griend — Tue, 02 Oct 2001 14:04:54 GMT

I do this similarly to how Santosh does, that is, using /etc/profile, but I check to see if the userID is that restricted user and then check the TTY that is being used. Unless it is /dev/console, then it is not allowed.

Re: how restrict any user from logging remotely ?

PUJOL Gregory — Tue, 02 Oct 2001 14:05:16 GMT

yes, i'd like to see your script.
thanks.

Re: how restrict any user from logging remotely ?

Brian Markus — Tue, 02 Oct 2001 15:50:12 GMT

I added this to my /etc/profile a long time ago. It worked just fine.
just touch a file called nologin in /etc. if it exists then it will only allow the following users in.

if [ -r /etc/nologin ]
then
case $LOGNAME in
root ) ;;
bmarkus ) ;;
oracle ) ;;

esac
fi

Good luck

Hope it helps

Brian

Re: how restrict any user from logging remotely ?

Santosh Nair_1 — Tue, 02 Oct 2001 17:09:15 GMT

Brian,

Wouldn't that just effectively prevent anyone from logging in as those users...even an su wouldn't work (?).

Anyway, I've attached my script. I also make the following changes to /etc/profile:

------cut here-----
UID=`id -u`

if [ -f /etc/nologin -a ! $UID = 0 ]
then
echo "Machine not yet available"
exit 0
fi
if [ ! -d ${HOME} ]
then
echo "Unable to change directory to ${HOME}"
exit 1
fi

# Check if in multiuser mode (i.e. runlevel is 3 or 4)

set `/usr/bin/who -r`
RL=$3
set --
if [ $RL = 3 -o $RL = 4 ] && [ `/usr/bin/tty` != /dev/console ]
then
if [ -f /etc/checkuser ];then
. /etc/checkuser
fi
fi

------cut here-----
The script is called checkuser. I create a special group, i.e. su_, where is the account that I'm trying to restrict. This allows me to restrict direct logins as that user and also allows me to say WHO can log in as that user.

Hope this helps.

-Santosh

Re: how restrict any user from logging remotely ?

Kim Kendall_1 — Tue, 02 Oct 2001 18:04:33 GMT

create the file /etc/securetty and add console
on a single line

echo "console" > /etc/securetty

Then only the console will allow direct root logins. All
remote logins must be made with regular accounts
and then they can "su" to root.

Re: how restrict any user from logging remotely ?

Darrell Allen — Tue, 02 Oct 2001 19:52:34 GMT

Keep in mind that not all logins use /etc/profile, specifically csh users. You would need to make appropriate changes for those shells also (csh uses /etc/csh.login).

/etc/profile and /etc/csh.login are not executed for "su loginid", but are executed for "su - loginid". That means that after someone logs in they could "su loginid" regardless of any checks in profile or csh.login. However, to allow "su - loginid" to bypass the edit for being on the console you would need to determine it the user is su'ing. You could do something like:
loginid=`who am i|awk '{print $1}'`
suid=`/usr/bin/whoami`
if [ $loginid = $suid ]
then
#check to see if on console
fi

This works because "whoami" returns the suid while "who am i" returns the loginid. If they are the same the user is probably logging in. If different, they are su'ing.

Darrell

Re: how restrict any user from logging remotely ?

Fred Martin_1 — Wed, 03 Oct 2001 14:59:14 GMT

I had a situation where I wanted to control who logged in remotely, i.e. from another network, and I wanted to control it by who they were.

So I created a group in /etc/group, and this became the access list for who was allowed in.

Then, in /etc/profile, I added a section at the top that 1) determined if they were coming from another network, and if so 2) checked to see if the user was a member of the group.

The script logged them out if 1 was true but 2 was false.

Re: how restrict any user from logging remotely ?

Fred Martin_1 — Wed, 03 Oct 2001 15:03:24 GMT

Forgot to mention, there is a thread here somewhere with my name on it, as we discussed some of the details when I set that up.

Also note that my solution will also prevent someone from logging in from another network, and then su'ing to another user unless that user is also in the access list. This because /etc/profile will run again for the su.

Re: how restrict any user from logging remotely ?

Wodisch — Fri, 05 Oct 2001 00:33:19 GMT

Hello,

do not forget the other ways of loggin in:
- remote shell: remsh
- secure shell: ssh
- X-Windows/CDE: XDMCP
- NFS remote execution: on

You will have to block those, too.
For "remsh" and "ssh" you may use "/var/adm/inetd.sec",
for "XDMCP" (X Windows Display Manager Protocol) you
can restrict it in "/etc/dt/config/Xsetup", and for the "on"
command in "/etc/inetd.conf".

HTH,
Wodisch

Re: how restrict any user from logging remotely ?

Fred Martin_1 — Wed, 05 Jun 2002 15:22:27 GMT

I know this is an old thread and there are several others here, about adding stuff to /etc/profile.

Just a word of caution, if you add any script language that uses commands from /usr/bin, like sed, getip, etc. then the script will prevent you from booting in single user mode, since /usr is not mounted when /etc/profile is executed.