HPE Community
Operating System - HP-UX
1833780 Members
2138 Online
110063 Solutions
New Discussion

Re: disable telnet to all users except for one.

 
Guy Haase
Occasional Contributor

‎09-29-2005 02:53 AM

‎09-29-2005 02:53 AM

disable telnet to all users except for one.

I am running HP –UX 11.0 and 11i on N and L class machines. I what to know how

I can disable telnet for ALL users except for one.

What is the best way to go about this.


Thanks
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎09-29-2005 02:56 AM

‎09-29-2005 02:56 AM

Re: disable telnet to all users except for one.

Best solution, use secure shell don't give the ssh client to those you don't want to connect.

/var/adm/inetd.sec

This file lets you specify by protocol what hosts are allowed and not allowed. You would allow one host to telnet and deny all other hosts on the next line of the configuration file.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-29-2005 04:18 AM

‎09-29-2005 04:18 AM

Re: disable telnet to all users except for one.

If this user ALWAYS uses the same IP address for the client machine, you can use /var/adm/inetd.sec to allow telnet to a single IP address. Otherwise, you can use /etc/profile to test for the correct users and exit if not.


Bill Hassell, sysadmin
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎09-29-2005 04:55 AM

‎09-29-2005 04:55 AM

Re: disable telnet to all users except for one.

Hi Guy,

In the same mode as Bill's response, you could also use TCP-wrappers & use the /etc/allow/disallow files to control telnet access. The advantage to it is that you can get granularity down to the username level. /var/adm/inetd.sec cannot do that. So that covers scenarios where the user comes in from diff workstations.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Don Mallory
Trusted Contributor

‎09-30-2005 01:07 AM

‎09-30-2005 01:07 AM

Re: disable telnet to all users except for one.

I don't know if it's compiled for HP-UX, but there is a PAM module for Linux called pam_listfile. If you set it to required, it allows or denies access based on the contents of a text file.

There's a good example in an article at www.samag.com - "PAM - Pluggable Authentication Modules" by Kurt Seifried.

The pam file entry would be:

auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/telnet-allow onerr=fail

Other than the base pam_kerberos, authz, ldap,unix files, does anyone know of any others that are pre-compiled for HP-UX?

-----------

Another sneakier way would be to edit the /etc/profile:

if `ps -ef | grep $PPID | grep telnet > /dev/null`
then
if `cat /etc/telnet-ok | grep $LOGNAME > /dev/null`
then
:
else
echo "Telnet is not allowed"
exit
fi
fi

This would check to see if the parent ID of the login is a telnet session, if it is, check the contents of /etc/telnet-ok and see if the LOGNAME is in there, and if not, exit.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.