topic restricted telnet access in Operating System - HP-UX

restricted telnet access

Carsten Drzensky — Tue, 23 Jan 2001 11:24:53 GMT

Hi,

Although I am working with Unix now for three years (which is not very much) I am coming right now to the system administration of our HP9000 which is really new to me.

We have several applications running on our HP-UX 11.0 system which are used and accessed by several people via the LAN/WAN.
To have a better possibility of logging users and their activities I would like to disable the Unix user accounts where the apps are isntalled and have one account for each user who should do a "su - " then.

Could You please help me in setting this up as I cannot really find something about this in the documentation?

Thanks in advance!

Regards,

Peter

Re: restricted telnet access

Victor BERRIDGE — Tue, 23 Jan 2001 11:47:12 GMT

Hi,
I suppose the easiest would be to install and use sudo: You will not have to fight with shells configs etc...
You will not have to give the passwd of your application UID, you could configure sudo so it su them with the command without passwd asked...

Good luck

Victor

Re: restricted telnet access

Bill Hassell — Tue, 23 Jan 2001 12:22:31 GMT

If the users have no need for a shell prompt (that is, their work is dedicated to a specific application), then change the user's shell to the application, or if the app needs a certain environment, a shell wrapper that only starts the application and exits when it is done. Just change /etc/passwd for each user's shell.

Re: restricted telnet access

Carsten Drzensky — Tue, 23 Jan 2001 12:46:30 GMT

Thanks for the fast replies!

The users will need Shell access so logging them directly into the application will not work on our system.

I had a quick look at sudo and it looks really nice. What I still wonder is how I can use sudo to prevent specific users logging on via telnet. Will sudo deny the connection when configured properly? (If yes would it be possible to have an example configuration for this?)

Peter

Re: restricted telnet access

Victor BERRIDGE — Tue, 23 Jan 2001 15:12:27 GMT

The idea is the user has to connect himself first since he doesnt know the passwd of the app-user, and has to use sudo...

You can trace the sudo activity because it will be logged in /var/adm/syslog/syslog.log:
COMMAND=/usr/bin/su - dbatram -c save_export_dbid 2WEEKS 2001.01.12
Jan 12 23:38:57 caph syslog: su : + tty?? root-dbatram
Jan 12 23:50:01 caph sudo: opertopa : TTY=unknown ; PWD=/home/opertopa ; USER=root ;
COMMAND=/usr/bin/su - dbatopa -c save_config_dbid

Good luck
Victor

Re: restricted telnet access

Victor BERRIDGE — Tue, 23 Jan 2001 15:19:43 GMT

Hi,
I remembered that I used the source and compiled sudo myself in order for it to do what I wanted, I cant remember what was wrong with the one from the porting center, it was maybe timeout limit and asking passwd issue...

Best regards
Victor

Re: restricted telnet access

Paul te Vaanholt — Wed, 24 Jan 2001 08:21:25 GMT

Hi,

The easiest way to prevent a direct telnet or ftp session for a specific user is by changing the password field to '*'. On a normal system this can be done in /etc/passwd, on a trusted system you can find the file in /tcb/files/auth. Setting the password field (not the password, but the field) to '*' will still allow su, rcp, rlogin, cron scripts etc.

Good luck and regards,

Paul te Vaanholt
HP Consulting

Re: restricted telnet access

Luiz Fernando de Andrad — Wed, 24 Jan 2001 12:54:04 GMT

1. you can restrict access to any inetd service (as telnetd, ftpd, etc) using /etc/hosts.allow and /etc/hosts.deny

2. you can put all useres who can access de aplication on a group (/etc/group). Then you can check on login script ( /etc/profile )

[ `id | grep -c "xxx=(nnn)"` != 1 ] && exit

where xxx is the group ID and nnn is the group name

Re: restricted telnet access

Patrick Wallek — Wed, 24 Jan 2001 15:23:57 GMT

You can also restrict access to hosts via /var/adm/inetd.sec file. Do a 'man inetd.sec' for more information. Inetd.sec allows you to allow all hosts to connect, but deny certain ones, or deny all hosts but allow certain ones.

Re: restricted telnet access

Darren Miller — Wed, 24 Jan 2001 16:10:23 GMT

Two parts to this answer:

1) How do I prevent certain users from loggin ing in via telnet?

Add a few lines in the ~/.profile script belonging to the user you want to lock out. The following code snippet seems to work:

if ps -f | grep -q [t]elnetd; then
echo "telnet access not allowed"
exit 99
fi

This code immediately terminates telnet logins, but allows CDE and local logins to succeed.

2) How do I grant non-root users root access to execute selected commands?

I concur with the previous postings: sudo is the tool you need. I installed it from http://hpux.cs.utah.edu/ before with great success.

Hope that helps!

Re: restricted telnet access

Peggy Fong — Tue, 06 Feb 2001 17:46:16 GMT

I know this is a late answer but I just came across your question. It sounds like you want to deny direct login access to an application-id and force users to login with their real user-id and then su to to application-id. If this is true, I've implemented it by creating a file called /etc/not_loginable. In this file you would list each id you do not want direct login access (e.g. oracle, apdms, ...) Do NOT include root in this list. Then add a script to /etc/profile to read this list and exit if the login matches. Here are examples of the input file and script:

# cat /etc/not_loginable
oracle
opc_op
applmgr
oradev

First part of /etc/profile - add custom code right after the "trap" command:

# @(#) $Revision: 74.2 $

# Default (example of) system-wide profile file (/usr/bin/sh initialization).
# This should be kept to the bare minimum every user needs.

# Ignore HUP, INT, QUIT now.

trap "" 1 2 3
#
# custom code for denying generic account login
if logname > /dev/null 2>&1
then
LGNM=`logname`
if egrep "^${LGNM}$" /etc/not_loginable > /dev/null 2>&1
then
echo "\nDirect login not allowed for $LGNM\n"
echo "\nNO remote login allowed for $LGNM(`date '+%D %T'`)\n" |
mailx -s "`hostname` login attempt for $LGNM" root
echo "\nNO remote login allowed for $LGNM (`date '+%D %T'`)\n" |
logger -p user.err -t NOT_LOGINABLE
exit 1
fi
fi

# end custom code

My apologies if the spacing did not come out right. I'v added an attachment that should look cleaner. I never added an attachment. If this one doesn't work - I'll try again on the next post.
Hope this is what you were looking for.

Re: restricted telnet access

Carsten Drzensky — Thu, 08 Mar 2001 09:39:08 GMT

Hi,

Thanks to all for Your help and replies and apologies for the late points assignment.

I ended up with the solution of editing the /etc/profile file. After adding the appropriate lines users listed in a specific file are not able to log on via telnet anymore.

Regards,

Peter