topic Re: Restricting user access in Operating System - HP-UX

Restricting user access

Paul Czetwertynski — Thu, 22 Feb 2001 12:49:01 GMT

Is there a way to restrict terminal session logons for specific users? (similar to securetty for root)

Re: Restricting user access

MARTINACHE — Thu, 22 Feb 2001 13:10:11 GMT

Hi,

"man inetd.sec" will probably help you.

Regards,

Patrice.

Re: Restricting user access

Steven Sim Kok Leong — Thu, 22 Feb 2001 13:19:35 GMT

Hi,

If you are using sshd v2 for remote sessions, then you can easily restrict user access from specific IP addresses by simply making use of the SSH2_CLIENT variable which reflects the IP address from which you connect from and the LOGNAME variable.

Using these two variables in /etc/profile, you can force a user to disconnect if the LOGNAME and SSH2_CLIENT variables are not associated.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: Restricting user access

Sandor Horvath_2 — Thu, 22 Feb 2001 13:35:35 GMT

Hi !

Edit /etc/profile and /etc/cshrc and check tty
whith tty command az user with $LOGNAME or id -un command. Exit if not allowed.

With the /var/adm/inetd.sec file You can filter acces by IP address.

regards, Saa

Re: Restricting user access

unixdaddy — Thu, 22 Feb 2001 15:26:09 GMT

Although the OS does not provide this capability directly (there is nothing
similar to /etc/securetty for root), adding the following statements to
/etc/profile or /etc/csh.login should prevent a certain user from
login but allow su - username.

Expand on the "if" statement if there are multiple accounts.

For Bourne and POSIX shells, add the following to /etc/profile:

name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
exit
fi
#end

For C shell, add the following to /etc/csh.login:

set name=`logname`
if ( $name == username ) then
echo $name not allowed to login...only su
exit
endif
#end

Re: Restricting user access

Ray Evans — Thu, 22 Feb 2001 17:22:01 GMT

Place this snip at the bottom of your system profile. Change the UID's top match those you want to have access. Touch /etc/nologin and remove when finished.

We use this during system maintenance as our users never seem to listen to our guidance.

hth,

Ray

# Check for file /etc/nologin. If present, log the users off (system
# maintenance in effect).

if [ -r /etc/nologin ]
then
case `/usr/bin/id -u` in
0|103|101|104|185)
echo "\n\n\n";
echo " --> NOTICE <---";
echo "User login is currently disabled because of system mainten
ance";
echo "However, you will be allowed in.";
echo "\nPress Enter to continue...\c";
read junk;;
*)
sleep 2;
clear;
echo "\n\n\n\n\n\n\n\n";
echo " The system is currently unavailable.";
echo " Please try again later. DPI Helpdesk can be contacted @
4298.";
sleep 5;
exit 1;;