rexec

 
SOLVED
Go to solution
Ihab Zaki
Advisor

rexec

Hello,

Is there a way to ban only one user from using rexec.

I know that I can comment the 'exec' line in /etc/inetd.conf but this will ban all users.

Thanks,
Ihab
8 REPLIES 8
Mark Grant
Honored Contributor

Re: rexec

You can use /var/adm/inetd.sec to limit individual IP's and hosts from running services.

It will look something like the following but check out "man inetd.sec"

exec deny 10.0.8.231
Never preceed any demonstration with anything more predictive than "watch this"
Graham Cameron_1
Honored Contributor

Re: rexec

Further to Mark's suggestion, note that you will have to modify the inetd.sec file on each remote system you want to stop the user getting out to.

You could consider writing a wrapper for rexec on the local system, but it's not so clean a solution.

-- Graham
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
Ihab Zaki
Advisor

Re: rexec

This applies to host / IP but not to user level, in my case I want to ban a user not a machine
Mark Grant
Honored Contributor
Solution

Re: rexec

You can do this but it's going to be really annoying. You can make sure that each user that uses rexec has a .rhosts file except the one you want to stop and that /etc/hosts.equiv does not contain a reference to the originating host.

This is going to be a pain to manage if you have a lot of users using rexec.
Never preceed any demonstration with anything more predictive than "watch this"
Graham Cameron_1
Honored Contributor

Re: rexec

I don't think the suggestion re .rhosts will help.
Unlike remsh, rexec dies not use .rhosts (or hosts.equiv). It prompts for a password and uses login authentication.

-- Graham
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
Mark Grant
Honored Contributor

Re: rexec

Graham,

"man rexec"
Never preceed any demonstration with anything more predictive than "watch this"
Jeff Schussele
Honored Contributor

Re: rexec

Hi Ihab,

Another option would be to obtain & install Tcp_wrappers software. Using it's /etc/hosts.allow & /etc/hosts.deny files granularity can be taken down to the user level as well as host & subnet levels.

Tcp_wrappers can be obtained here:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Mark Grant
Honored Contributor

Re: rexec

Graham,

Apologies!! You are right, it's a long time since I read the man page for "rexec".

rexec authenticates the same as login!
Never preceed any demonstration with anything more predictive than "watch this"