HPE Community
Operating System - HP-UX
1834613 Members
3530 Online
110069 Solutions
New Discussion

Re: How to limit a user to login from a specific IP address only?

 
Bolek Mynarski
Frequent Advisor

‎03-31-2003 02:02 PM

‎03-31-2003 02:02 PM

How to limit a user to login from a specific IP address only?

Oops. My previous post was wrong. Please, ignore it. I pasted from the wrong window.

Here it goes:

I want to limit a specific user on HP-UX 11.00i so he can only log in from a specific IP address via telnet.

Is this possible using HP-UX tools short of writing a custom shell script (I don't want to re-invento a wheel here)?

Thanks.
It'snever too late to learn new things...
0 Kudos
Reply
7 REPLIES 7
Uday_S_Ankolekar
Honored Contributor

‎03-31-2003 02:21 PM

‎03-31-2003 02:21 PM

Re: How to limit a user to login from a specific IP address only?

You want to modify /var/adm/inetd.sec file.

Here in this file you can configure to which ip-address you want to give access
Here is the example:

telnet allow
shell allow
exec allow


-USA..
Good Luck..
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎03-31-2003 02:49 PM

‎03-31-2003 02:49 PM

Re: How to limit a user to login from a specific IP address only?

While the /var/adm/inetd.sec allows you to only allow logins from certain IP addresses, it does not allow you to limit those logins to certain users from those IP addresses.

I know of no easy way to do what you require. The only thing I can think of is to modify each users /etc/profile, check the IP addy they are coming from and if it is not the correct one, do an 'exit 1'.

You could also write a script that is called from ~/.profile so that you can have a single point of control for all users and IPs, but if you have an experienced user, s/he could modify their own .profile to take that out.

Good luck in find an appropriate solution.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎03-31-2003 04:01 PM

‎03-31-2003 04:01 PM

Re: How to limit a user to login from a specific IP address only?

Hi Boleslaw,

About the only & the easisest way to do this would be to obtain & implement tcp_wrappers. Can be had here free:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

Although one note - you'll need to compile it with that option enabled. I don't think the option is enabled by default. There are several other points to be aware of so visit the README page:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/readme.html

especially the section 4.4 on Client username lookups.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎03-31-2003 04:35 PM

‎03-31-2003 04:35 PM

Re: How to limit a user to login from a specific IP address only?

this is very to implement.

although not out of the box, but you can do it in your /etc/profile file.

1. in this file grap the users login id that you want to watch.

NAME=$(`whoami`)

2. you want to get the users IP address from where they login.

this is tricky but check this out.

MACHINE=$(`who -Rm`)

now you have a line with the host computers DNS name.

then do a nslookup on the name.

check_user()
{
set -- $(who -Rm)
Machine=${6#\(}
Machine=${Machine%\)}
nslookup $Machine | strings | tail -n 1 | cut -f2 -d":" | read IP
NAME=$(whoami)

if [ $NAME = "usertowatch" -a $MACHINE != "dumbpc" ]
then
exit
else
continue
fi
}

check_user

add the last lines to /etc/profile and give me 10 points .
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎03-31-2003 04:39 PM

‎03-31-2003 04:39 PM

Re: How to limit a user to login from a specific IP address only?

sorry just tested the if statement.

if [ $NAME = "usertowatch" ] && [ $IP != "10.0.0.1" ]
then
# kick him out
exit 0
fi

"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎03-31-2003 04:44 PM

‎03-31-2003 04:44 PM

Re: How to limit a user to login from a specific IP address only?

here is how I greet my users when they login.

this goes into either their .profile or /etc/profile.

if you stick it in theri .profiles, savy users will delete it, BUT if you stick it in the /etc/profile then you have control over it.

greet()
{
set -- $(who -Rm)
Machine=${6#\(}
Machine=${Machine%\)}
nslookup $Machine | strings | tail -n 1 | cut -f2 -d":" | read IP
NAME=$(whoami)
grep ${NAME} /etc/passwd|awk -F: '{print $5}'|awk '{print $1}'|read Name
HOUR=$(date +%H)
if [ $HOUR -le 12 ] && [ $HOUR -ge 0 ]
then
greet=Morning
elif [ $HOUR -gt 12 ] && [ $HOUR -le 18 ]
then
greet=Afternoon
else
greet=Evening
fi
if [ -f /usr/bin/mail ]
then
if mail -e
then
ifmail=$(echo "You've got mail, please check it.")
else
ifmail=$(echo "You don't have mail at this time.")
fi
fi
printf "\n\tGood $greet, $Name, $ifmail\n\n\n"
printf "\tYour PC's IP address is: $IP\n\n"
printf "\tYour PC's name is: $Machine\n\n"
printf "\tToday is: `date +%A`\n\n"
printf "\tDate is: `date +%D`\n\n"
}
greet

you could even kick that "usertowatch" out with a nice message, telling them to go away or to go back to their desk, with a ball and chain, and stay there untill further notice.

:-))
Donny
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
KCS_1
Respected Contributor

‎03-31-2003 05:30 PM

‎03-31-2003 05:30 PM

Re: How to limit a user to login from a specific IP address only?

hi,

you can download and install TCP_WRAPPER program into your host from www.software.hp.com

that's easy to way specify IP bloking for your security.

have a good day~
Easy going at all.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.