Operating System - HP-UX
1831207 Members
2953 Online
110021 Solutions
New Discussion

Re: how restrict any user from logging remotely ?

 
PUJOL Gregory
Occasional Advisor

how restrict any user from logging remotely ?

Hi,

On HP-UX V10.20, how can I restrict any user from logging remotely ?
I would like that the only way to connect as this "restriced user" is :
- on the console ;
- by "su" from "non-restricted user".

Thanks
GRP
12 REPLIES 12
Torsten.
Acclaimed Contributor

Re: how restrict any user from logging remotely ?

Hello,

you can find information about this in
man hosts.equiv (for rlogin configuration) or
man inetd.sec (for telnet/ftp access).
Another way to configure user access is to use SAM:

sam Areas->Networking and Communication->System Access

Hope this helps

Torsten

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Santosh Nair_1
Honored Contributor

Re: how restrict any user from logging remotely ?

I've been able to do this by modifying the /etc/profile so that it check if someone is trying to log in directly as the restricted user and if so, issue an error message and exit.

The way to check if the user is logging in directly is to see the parent process of the shell, it should be another shell and not rlogind or telnetd. I can post my script if you'd like.

-Santosh
Life is what's happening while you're busy making other plans
Bernie Vande Griend
Respected Contributor

Re: how restrict any user from logging remotely ?

I do this similarly to how Santosh does, that is, using /etc/profile, but I check to see if the userID is that restricted user and then check the TTY that is being used. Unless it is /dev/console, then it is not allowed.
Ye who thinks he has a lot to say, probably shouldn't.
PUJOL Gregory
Occasional Advisor

Re: how restrict any user from logging remotely ?

yes, i'd like to see your script.
thanks.
Brian Markus
Valued Contributor

Re: how restrict any user from logging remotely ?

I added this to my /etc/profile a long time ago. It worked just fine.
just touch a file called nologin in /etc. if it exists then it will only allow the following users in.


if [ -r /etc/nologin ]
then
case $LOGNAME in
root ) ;;
bmarkus ) ;;
oracle ) ;;

esac
fi


Good luck

Hope it helps

Brian
When a sys-admin say's maybe, they don't mean 'yes'!
Santosh Nair_1
Honored Contributor

Re: how restrict any user from logging remotely ?

Brian,

Wouldn't that just effectively prevent anyone from logging in as those users...even an su wouldn't work (?).

Anyway, I've attached my script. I also make the following changes to /etc/profile:

------cut here-----
UID=`id -u`

if [ -f /etc/nologin -a ! $UID = 0 ]
then
echo "Machine not yet available"
exit 0
fi
if [ ! -d ${HOME} ]
then
echo "Unable to change directory to ${HOME}"
exit 1
fi

# Check if in multiuser mode (i.e. runlevel is 3 or 4)

set `/usr/bin/who -r`
RL=$3
set --
if [ $RL = 3 -o $RL = 4 ] && [ `/usr/bin/tty` != /dev/console ]
then
if [ -f /etc/checkuser ];then
. /etc/checkuser
fi
fi

------cut here-----
The script is called checkuser. I create a special group, i.e. su_, where is the account that I'm trying to restrict. This allows me to restrict direct logins as that user and also allows me to say WHO can log in as that user.

Hope this helps.

-Santosh
Life is what's happening while you're busy making other plans
Kim Kendall_1
Occasional Advisor

Re: how restrict any user from logging remotely ?

create the file /etc/securetty and add console
on a single line

echo "console" > /etc/securetty

Then only the console will allow direct root logins. All
remote logins must be made with regular accounts
and then they can "su" to root.
Darrell Allen
Honored Contributor

Re: how restrict any user from logging remotely ?

Keep in mind that not all logins use /etc/profile, specifically csh users. You would need to make appropriate changes for those shells also (csh uses /etc/csh.login).

/etc/profile and /etc/csh.login are not executed for "su loginid", but are executed for "su - loginid". That means that after someone logs in they could "su loginid" regardless of any checks in profile or csh.login. However, to allow "su - loginid" to bypass the edit for being on the console you would need to determine it the user is su'ing. You could do something like:
loginid=`who am i|awk '{print $1}'`
suid=`/usr/bin/whoami`
if [ $loginid = $suid ]
then
#check to see if on console
fi

This works because "whoami" returns the suid while "who am i" returns the loginid. If they are the same the user is probably logging in. If different, they are su'ing.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Fred Martin_1
Valued Contributor

Re: how restrict any user from logging remotely ?

I had a situation where I wanted to control who logged in remotely, i.e. from another network, and I wanted to control it by who they were.

So I created a group in /etc/group, and this became the access list for who was allowed in.

Then, in /etc/profile, I added a section at the top that 1) determined if they were coming from another network, and if so 2) checked to see if the user was a member of the group.

The script logged them out if 1 was true but 2 was false.
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: how restrict any user from logging remotely ?

Forgot to mention, there is a thread here somewhere with my name on it, as we discussed some of the details when I set that up.

Also note that my solution will also prevent someone from logging in from another network, and then su'ing to another user unless that user is also in the access list. This because /etc/profile will run again for the su.
fmartin@applicatorssales.com
Wodisch
Honored Contributor

Re: how restrict any user from logging remotely ?

Hello,

do not forget the other ways of loggin in:
- remote shell: remsh
- secure shell: ssh
- X-Windows/CDE: XDMCP
- NFS remote execution: on

You will have to block those, too.
For "remsh" and "ssh" you may use "/var/adm/inetd.sec",
for "XDMCP" (X Windows Display Manager Protocol) you
can restrict it in "/etc/dt/config/Xsetup", and for the "on"
command in "/etc/inetd.conf".

HTH,
Wodisch
Fred Martin_1
Valued Contributor

Re: how restrict any user from logging remotely ?

I know this is an old thread and there are several others here, about adding stuff to /etc/profile.

Just a word of caution, if you add any script language that uses commands from /usr/bin, like sed, getip, etc. then the script will prevent you from booting in single user mode, since /usr is not mounted when /etc/profile is executed.
fmartin@applicatorssales.com