HPE Community
Operating System - HP-UX
1753779 Members
7654 Online
108799 Solutions
New Discussion юеВ

Re: hi..pls..help..profile scriptin..

 
rookie250
Occasional Contributor

тАО09-21-2006 07:34 PM

тАО09-21-2006 07:34 PM

hi..pls..help..profile scriptin..

hi..

I want to customize a user in unix which could have only ftp access and NO TELNET ACCESS! .....
As being a newbie to unix to my understanding the user .profile has to be edited but if someone can explain how to edit it so that i can block telnet access for that user.....Is /etc/profile has to be edited or the local.profile in user home directry to be edited.???....

pls note i only want that user cld not telnet from his account but he should able to log in..in his account.

Pls if smebdy can help on dis.....moreover i hav a telnet block script..which u can see below..but how to implement it...

Here's the script portion in /etc/profile:

----------------------------------------
#
# Configure telnet access - root can always telnet to the server
#
if [ -f /etc/telnet.allow ] ; then
user_id=${LOGNAME}
telnetused=`/usr/bin/ps -f | grep "[t]elnetd" | grep -v "grep" | wc -l`
if [ -s /etc/telnet.allow ] ; then
userallowcount=`grep "^$user_id$" /etc/telnet.allow | wc -l`
else
userallowcount=0
fi
if [ $telnetused -gt 0 -a $userallowcount -eq 0 -a "Xroot" != "X${LOGNAME}" ] ; then
DATEE=`/usr/bin/date +%Y%m%d`
TIMEE=`/usr/bin/date +%H%M%S`
NDNAME=`/usr/bin/uname -n`
BASENM=`/usr/bin/basename $0`
#if [ -f /etc/ALIASNAME ] ; then
# ALIASNAME=`cat /etc/ALIASNAME`
#fi

echo "ERMS1311: Error - Telnet access is not allowed... Terminating"

if [ -f /usr/bin/logger ] ; then
/usr/bin/logger -t "login" "ERMS1311: Error - Telnet access for ${LOGNAME} is not allowed... Terminating...
"
fi
echo "ERMS1001: Error - YOU DO NOT HAVE TELNET ACCESS TO THIS SERVER"
echo "SESSION TERMINATING IN 10 SECONDS"
echo "${DATEE} : ${TIMEE} : ${NDNAME} : ${user_id} : ERMS1311 Telnet access not allowed" >> /var
/adm/log/security/telnet_deny.log
sleep 10
exit 99
fi
fi

-----------------------------------

Failures are logged to a log file in addition to being logged to syslog.log via logger.

User is temporarily given an error message for ten seconds prior to exiting the current telnet session.
0 Kudos
Reply
7 REPLIES 7
Peter Godron
Honored Contributor

тАО09-21-2006 08:45 PM

тАО09-21-2006 08:45 PM

Re: hi..pls..help..profile scriptin..

Hi and welcome to the ITRC forums !

have you seen the recent thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1053025

If this post helped, please read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#28
0 Kudos
Reply
spex
Honored Contributor

тАО09-21-2006 11:47 PM

тАО09-21-2006 11:47 PM

Re: hi..pls..help..profile scriptin..

Hi,

The thread Peter linked to is a good one.

At a quick glance, that script should work, although it's not the prettiest script I've ever seen. It takes a negative approach to telnet. That is, it denies by default, forcing you to explicitly grant access by adding a username to /etc/telnet.allow. So if you decide to use the script, denying telnet access to a particular user is simply a matter of NOT adding the username to /etc/telnet.allow.

/etc/profile is executed for every user, while ~user/.profile is executed only when "user" logs in. So to avoid adding/maintaining the script in multiple profiles, add it once to /etc/profile.

Please clarify this statement:

"pls note i only want that user cld not telnet from his account but he should able to log in..in his account."

Should be able to log in how? SSH? SMB/CIFS? System console?

PCS
0 Kudos
Reply
rookie250
Occasional Contributor

тАО09-22-2006 12:12 AM

тАО09-22-2006 12:12 AM

Re: hi..pls..help..profile scriptin..

.".pls note i only want that user cld not telnet from his account but he should able to log in..in his account."

by the above i mean dat as a superuser i should be able to telnet into dis user account however once entered into d account then user should not be able to further telnet again..so his telnet shld be blocked..!!
0 Kudos
Reply
Peter Nikitka
Honored Contributor

тАО09-23-2006 09:16 AM

тАО09-23-2006 09:16 AM

Re: hi..pls..help..profile scriptin..

Hi,

you did not answer the question about ssh, rlogin or other methods you consider valid for this user.
If you want ftp acces and nothing else, enter
/bin/true as a valid shell into /etc/shells and as the shell of this user in /etc/passwd.
So ordinary logins will terminate immediate, but a ftp session will not.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
rookie250
Occasional Contributor

тАО09-24-2006 07:09 PM

тАО09-24-2006 07:09 PM

Re: hi..pls..help..profile scriptin..

hi..

I want the user should log in his account through telnet only and should hav ftp access only.

..n the solution you gave regardin changing the shell to /bin/true :
>fst i dont hav etc/shells file made in my system,
>moreover , adding this shell will completely block the user to login also and he wont be able to telnet in his account also..whereas my purpose is dat he should not be able to telnet further from his account.

0 Kudos
Reply
Peter Nikitka
Honored Contributor

тАО09-24-2006 10:18 PM

тАО09-24-2006 10:18 PM

Re: hi..pls..help..profile scriptin..

Hi,

it was not clear by yout prev. postings, that you really WANT to have telnet access for that user:
>>
I want to customize a user in unix which could have only ftp access and NO TELNET ACCESS! .....
<<

My solution with /bin/true as login shell cannot be used then (as I stated in my answer).

There is no standard method for blocking a single user from using the telnet command.

Some suggestions:
1 Setup a directory with links to 'permitted commands'

2 Exchange /usr/bin from the PATH of that user with your substitude; remove other components containing 'forbidden' commands as well.

3 Give the user a restricted shell - that way (s)he cannot change the PATH variable


mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
rookie250
Occasional Contributor

тАО09-24-2006 10:26 PM

тАО09-24-2006 10:26 PM

Re: hi..pls..help..profile scriptin..

...anyways..thanks peter for ur help...will try out ur suggestions..if it works..for me..!!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.