HPE Community
Operating System - HP-UX
1837737 Members
3901 Online
110118 Solutions
New Discussion

Disable telnet access, but allow cron and su access

 
Robert Funk_1
Contributor

‎09-16-2004 07:50 AM

‎09-16-2004 07:50 AM

Disable telnet access, but allow cron and su access

Can anyone offer guidance for the following question?:

How do you disable telnet access for a particular UX account while still allowing local and su access?

I added the following lines to the user's .profile file to prevent telnet logins, but it also prevented cron jobs and su - access:

# no telnet sessions
echo "#####################################"
echo "### sorry, telnet access disabled ###"
echo "#####################################"
exit

Thank you,
Robert
0 Kudos
Reply
6 REPLIES 6
Mark Greene_1
Honored Contributor

‎09-16-2004 08:24 AM

‎09-16-2004 08:24 AM

Re: Disable telnet access, but allow cron and su access

You can set the login shell for the user in /etc/passwd to /bin/false. This will prevent telnet login, but still allow cron, as cron doesn't use the login shell. However, "su -" will probably fail. You can perhaps get away with doing just an "su", but you may experience problems with then environment. You can work around that by setting up a file with the environment settings you need and manually envoking it after doing the su.

Mark
the future will be a lot like now, only later
0 Kudos
Reply
RAC_1
Honored Contributor

‎09-16-2004 08:28 AM

‎09-16-2004 08:28 AM

Re: Disable telnet access, but allow cron and su access

This came up few times on the forum. Please search forms for "disable telnet"

Do you want to disable the telnet access to a particular user?? If yes, you can lock his account. passwd -l user_name.
You can also put some code in /etc/profile to check if user_name==xx and then deny access.

If user always comes from certain ip, then you can disable the access in /var/adm/inetd.sec file.

For cron jobs, you can make use of /var/adm/cron.allow and /var/adm/cron.deny files. About the use of su, you will have do some coding. Move the su to something else and put a script there. This script will chck which user is doing su and will grant access depening upon the checks you have put.

You may also want to look at /etc/default/security file. man 4 security for details.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-16-2004 08:29 AM

‎09-16-2004 08:29 AM

Re: Disable telnet access, but allow cron and su access

Hi Robert,

I usually do the following way. Create a file called /etc/nodirectlogin with the following syntax

suonly1:First User
suonly2:Second User

Then put the following snippet in /etc/profile and (modify it to suit to csh.login for cshell)


ME=$(who am i|awk '{print $1}')
grep -q "^${ME}:" /etc/nodirectlogin
if [ $? = 0 ]
then
MYNAME=$(grep "^${ME}:" /etc/nodirectlogin|awk '{FS=":";print $2}')
echo "$MYNAME!!! You cannot login directly. Login with your own id and then SU to
$ME"
exit
fi

Here suonly user cannot login directly. But he/she can login as some user and then do an 'su' to suonly. The key is 'who am i' not "whoami".

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎09-16-2004 08:33 AM

‎09-16-2004 08:33 AM

Re: Disable telnet access, but allow cron and su access

your code segment can do a little checking before exitting:

# no telnet sessions
SHELL=ksh # chage this according to user's default shell
pid=`ps | grep ${SHELL} | grep -v grep | awk {'print $1'}`
ppid=`ppid=`ps -ef | grep ${pid} | grep ${SHELL} | grep -v grep | awk {'print $3'}`
ps -ef | grep ${ppid} | grep telnetd
r=`echo $?`
if [ $r -eq 0 ]
then
echo "#####################################"
echo "### sorry, telnet access disabled ###"
echo "#####################################"
exit
fi

Hope this helps
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-16-2004 08:27 PM

‎09-16-2004 08:27 PM

Re: Disable telnet access, but allow cron and su access

We can control on .profile file or /etc/profile easily to block for the particular user as,


USER --> telnet disabled user

if [[ "$LOGNAME" = "USER" ]]
then

if [[ $(ps | grep -q 'telnet') -eq 0 ]]
then
# no telnet sessions
echo "#####################################"
echo "### sorry, telnet access disabled ###"
echo "#####################################"

# Sleep to display message and give time to read

sleep 3

exit 1

fi

fi

It will check weather login service is with telnet, if so print the message and exit.
Sleep time will be needed to print the message for 3 seconds, so that user know the reason without exiting at once ;)

Regards
-Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎09-17-2004 01:02 AM

‎09-17-2004 01:02 AM

Re: Disable telnet access, but allow cron and su access

If you go with one of these scripted solutions, be sure to add trap statements at the start and end of each script to intercept attempts to break-out of the script.


mark
the future will be a lot like now, only later
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.