HPE Community
Operating System - HP-UX
1829394 Members
3464 Online
109991 Solutions
New Discussion

Re: Disable telnet enable ssh

 
SOLVED
Go to solution
twtandigi.com.my
Frequent Advisor

‎07-29-2004 10:44 PM

‎07-29-2004 10:44 PM

Disable telnet enable ssh

hi,

i am currently using hp-ux 11.00 and have this set-back.

i would like to enquire about
1)how do i enable ssh to allow only users to access the system and not the root account to enter the system?
2)how can i disable telnet function on the HP-UX 11.00 system and enable ssh instead?

Regards,
Calvin
0 Kudos
Reply
9 REPLIES 9
Jose Mosquera
Honored Contributor

‎07-29-2004 11:00 PM

‎07-29-2004 11:00 PM

Re: Disable telnet enable ssh

Hi,

To avoid that users can not do "su - root" from system prompt, add in the /etc/defaul/security file the following line:
SU_ROOT_GROUP=

Where wil be a group of users defined into /etc/group that can execute "su - root", if only root user belong at this group nobody more can done the command.

Other way could be the /etc/securetty file, where indicate the valid devices (tty's or console) to allow root's logings.

Telnet is a service, and ssh is a command interpreter, both of them are complementary and not excluding. You could change a standar command interpreter by secure shell (ssh), but all of them always needs telnet services, at least on LAN environments.

Rgds.
Reply
Alexander M. Ermes
Honored Contributor

‎07-29-2004 11:10 PM

‎07-29-2004 11:10 PM

Re: Disable telnet enable ssh

Hi there.
In the /etc/inetd.conf you can disable the telnet line ( # in front of it ).
Rgds
Alexander M. Ermes
.. and all these memories are going to vanish like tears in the rain! final words from Rutger Hauer in "Blade Runner"
Reply
Jose Mosquera
Honored Contributor

‎07-29-2004 11:17 PM

‎07-29-2004 11:17 PM

Re: Disable telnet enable ssh

Hi again,

In any case, if you need restric the telnet service you can configure the /var/adm/inetd.sec file. For detail pls "man inetd.sec". Also other services like ftp, rmsh/rcp can be restricted by this file.


Rgds.
Reply
Fabio Ettore
Honored Contributor

‎07-29-2004 11:20 PM

‎07-29-2004 11:20 PM

Re: Disable telnet enable ssh

Hi,

in order to disable telnet you have to comment out the line of telnet service in /etc/inetd.conf:
# telnet stream tcp nowait root /usr/lbin/telnetd telnetd

About ssh: you should be able to use it just after the installation of the ssh package. Sincerely I don't know if it is possible to deny root access and permit other users.
I think /var/adm/inetd.sec wher you can deny ssh service by IP address/hostnames but it is not possible by usernames.

Best regards,
Fabio
WISH? IMPROVEMENT!
0 Kudos
Reply
sparky_2
Frequent Advisor

‎07-29-2004 11:21 PM

‎07-29-2004 11:21 PM

Solution

Re: Disable telnet enable ssh

1) sorry - not too familiar with the user authentication side of the product
2) you can disable the telnet function by putting the following line in /var/adm/inetd.sec:
telnet deny
Enabling ssh is part of the installation process whereby you need to authenticate each each remote host on the local server and copy the authorized_keys file into the .ssh directory of each remote host. The product should come with full installation guides I think.
Reply
Muthukumar_5
Honored Contributor

‎07-29-2004 11:30 PM

‎07-29-2004 11:30 PM

Re: Disable telnet enable ssh

IF you want to totally disble telnet then comment (#) telnetd entry in /etc/inetd.conf file. But it is not good to test the services and login into machines those who are not having ssh

So why do not you try to block the users to use telnet with inetd.sec file. Give ip-address or hostname in that file and block them to use telnet.

To make the users to use with user accounts to login only, create a file as

echo "console" > /etc/securetty

login security will be in effect now.

See login man page to know securetty more

Easy to suggest when don't know about the problem!
Reply
Jan Sladky
Trusted Contributor

‎07-29-2004 11:39 PM

‎07-29-2004 11:39 PM

Re: Disable telnet enable ssh

hi Calvin,

to disable telnet comment following line in
/etc/inetd.conf

telnet stream tcp nowait root usr/lbin/telnetd telnetd

and

restart inetd by inetd -c

br Jan




GSM, Intelligent Networks, UNIX
Reply
Muthukumar_5
Honored Contributor

‎07-29-2004 11:39 PM

‎07-29-2004 11:39 PM

Re: Disable telnet enable ssh

Change the permission of /etc/securetty file to 600 so that users cannot change the one.

And more SU_ROOT_GROUP parameter will not be helpful to stop the root logins. It will be used to stop the users to use su to promote as users.

To block root logins using ssh, tune

PermitRootLogin=0 on sshd_config file

Easy to suggest when don't know about the problem!
Reply
Gary L. Paveza, Jr.
Trusted Contributor

‎07-29-2004 11:43 PM

‎07-29-2004 11:43 PM

Re: Disable telnet enable ssh

To disable telnet:

Modify /etc/inetd.conf. Put a # infront of the line that starts with telnet.

If implementing ssh you may also want to disable the r-commands (rlogin, remsh, etc) since ssh is a replacement for these as well. The valid lines are login (for rlogin), shell (for remsh), and exec.

FTP as well though this may be more difficult if you use ftp from a PC which does not support sftp or scp.

Once you make these changes, you need to have inetd re-read it's configuration file.

Send it a SIGHUP command or issue the command inetd -c to get it to reread it's configuration.

To prevent direct login via ssh, you need to modify the /opt/ssh/etc/sshd_config script. Make sure there is a line that says PermitRootLogin no is not commented. You will need to restart ssh (/sbin/init.d/secsh stop, /sbin/init.d/secsh start)
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.