HPE Community
Operating System - HP-UX
1829905 Members
1388 Online
109993 Solutions
New Discussion

Disalbing Telnet for specific users

 
SOLVED
Go to solution
Bruce Link
Occasional Contributor

‎04-16-2003 08:45 AM

‎04-16-2003 08:45 AM

Disalbing Telnet for specific users

I'm looking to migrate users on a 11i system off of telnet and onto SSH. I am unable to stop the telnetd process, as our production systems require that a generic login be able to access the server. I'm not too worried about this traffic as no sensitive information is being passed over these sessions.

I fear that asking them nicely not to use telnet will have a limited effect.

In a nutshell, what I need to do is do is disable telnet for all users except 'menu'. I've looked into slapping some script to kick them off into /etc/profile but I fear that will take effect when they login through ssh as well. I'm unable to find a way to tell the difference between a telnet session and a ssh session in a shell script so I can terminate the connection appropriatly.

Thanks in advance (and please excuse my abhorrent spelling)
Bruce
0 Kudos
Reply
9 REPLIES 9
Paula J Frazer-Campbell
Honored Contributor

‎04-16-2003 08:50 AM

‎04-16-2003 08:50 AM

Re: Disalbing Telnet for specific users

Bruce


In a script pick up the process id and its parent id and if parent telnd then exit.

Just an idea.

Paula
If you can spell SysAdmin then you is one - anon
Reply
Pete Randall
Outstanding Contributor

‎04-16-2003 08:51 AM

‎04-16-2003 08:51 AM

Re: Disalbing Telnet for specific users

Bruce,

You get an A+ for spelling! Not a single mistake.


Pete

Pete
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎04-16-2003 08:51 AM

‎04-16-2003 08:51 AM

Re: Disalbing Telnet for specific users

man on inetd.sec.

you can configure /var/adm/inetd.sec file to allow only the specific ipadress to access ftp,telnet,rlogin etc. You can configure for entire subnet or perticular ip.

Good luck

-USA..
Good Luck..
0 Kudos
Reply
Gregory Lee_1
Regular Advisor

‎04-16-2003 10:28 AM

‎04-16-2003 10:28 AM

Re: Disalbing Telnet for specific users

Bruce,

Being relatively new to Unix I could be wrong on this, but couldn't you use TCP Wrappers and then deny all in the hosts.deny file.

You could have the telnet process running but no one could access it.

Regards,
Greg
0 Kudos
Reply
Kelli Ward
Trusted Contributor

‎04-16-2003 11:15 AM

‎04-16-2003 11:15 AM

Re: Disalbing Telnet for specific users

Hi Gregory,
Although tcp_wrappers and inetd.sec will allow or restrict networks and hosts, I do not believe they will restrict users on networks or hosts, so as I understand, they won't work for his needs.

HTH,
Kel
The more I learn, the more I realize how much more I have to learn. Isn't it GREAT!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-16-2003 11:39 AM

‎04-16-2003 11:39 AM

Solution

Re: Disalbing Telnet for specific users

Hi Bruce,

Yes, you CAN do this with tcp_wrappers.

First - set up the hosts.deny as follows

telnetd : ALL

Then - set up the hosts.allow as follows

telnetd : menu@ALL

Of course this does nothing about FTP, rlogin, finger, etc. But you can tailor the files to cover those as well or use inetd.sec to limit those in addition. And you could limit the user menu to a specific host or subnet

telnetd : menu@host1
telnetd : menu@128.1.1

HTH,
Jeff

P.S. Sorry Kel...had to set the record straight.
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Kelli Ward
Trusted Contributor

‎04-17-2003 06:12 AM

‎04-17-2003 06:12 AM

Re: Disalbing Telnet for specific users

No Problem,
I don't use tcp_wrappers all that much.
Can you use user@ with inetd.sec?
Never seen it in the man pages, didn't think you could.
If not, I think it should be added, that's a usable tool.
Thanks for the info.
Kel
The more I learn, the more I realize how much more I have to learn. Isn't it GREAT!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-17-2003 06:20 AM

‎04-17-2003 06:20 AM

Re: Disalbing Telnet for specific users

Hi Kel,

AFAIK only tcp_wrappers has this functionality - you're correct, inted.sec does not.

Rgds,
Jeff

P.S. The new hat looks good on you. Purple must be your color.
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Jim Krol
Advisor

‎06-12-2003 01:13 PM

‎06-12-2003 01:13 PM

Re: Disalbing Telnet for specific users

I found this question interesting, because I am trying to do a similar function. I have need to disable telnetd specifically for one user. I want the user to have access to ftp and they must have full access to their startup files, i.e, /etc/profile, .profile, etc.

I loaded the tcp_wrappers for 11.0 from the "dspp" page. Seems to have loaded ok.

However, I cannot get the /etc/hosts.allow or the /etc/hosts.deny to act as I wish. I have read the hosts_access man pages...I thought things were pretty clear, but, I can't seem to deny telnetd to a specific user.

This is my entry in the hosts.deny (I have no host.allow):
telnetd: myuserid@ALL

(I'm really looking for a function like the /etc/securetty --- the root only deny mechanism).

Any help would be appreciated.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.