Operating System - HP-UX
1827801 Members
2274 Online
109969 Solutions
New Discussion

Re: prevent access to certain hosts

 
Jeff Smee
Advisor

prevent access to certain hosts

Question: I have a bunch of work stations and servers in the same NIS domain (with a shared automount home), but I wish to restrict login (including remsh and ftp) access to certain hosts for certain accounts.
Does anyone know of an easy way to do this?

Thanks
Jeff
7 REPLIES 7
Bill Hassell
Honored Contributor

Re: prevent access to certain hosts

The only way to do this is to explicitly code tests in /etc/profile (and /etc/csh.login if necessary) to exit if the user is not allowed. For ftp, use the ftpusers file. See:

http://docs.hp.com/en/B2355-90778/ch02s02.html?btnNext=next%A0%BB


Bill Hassell, sysadmin
Jeff Smee
Advisor

Re: prevent access to certain hosts

Thanks Bill, but will that prevent remsh too?
Bill Hassell
Honored Contributor

Re: prevent access to certain hosts

remsh is easy. No one can use remsh until there is a .rhosts file in the the user's $HOME directory. If the user can't login on that system, they can't create a .rhosts file. rexec is a bit different. It's like remsh except the login/password info is stored in the local system. It sounds like certain systems must be kept more secure than others so I would look at simply turning off rexec and the rest of the 'r' commands (rcp, remsh, rlogin) for those systems.


Bill Hassell, sysadmin
Jeff Smee
Advisor

Re: prevent access to certain hosts

...but since their home directory is automounted everywhere, they can create a .rhosts on any machine and use that .rhosts to remsh to the machine I don't want them to have access to.
Frank de Vries
Respected Contributor

Re: prevent access to certain hosts

Hi Jeff,

What about a 'sudo' solution, whereby
you only list those users that
should have access to remsh etc..

www.courtesan.com/sudo/

Or some scripting, replacing
the remsh with a program that
calls remsh (give it a different name)
You can then setup a filter they way
you want.

Or work with group differentiation,
and use this group on remsh.

keep cooking;
Look before you leap
Peter Nikitka
Honored Contributor

Re: prevent access to certain hosts

Hi,

you can try to use netgroups to dissallow login. h1 == hostname of a host with restricted access.

EACHHOST:/etc/nsswitch.conf:
passwd: compat
netgroup: nis

NISMASTER:/etc/netgroup:
...
dny_h1 (,user1,) (,user2,) ...
dny_h2 (,user1,) (,user3,) ...
dny_all dny_h1 dny_h2 ...

h1:/etc/passwd
...
-@dny_h1::::::
+:::::::

So you have an easy syntax for denying a group of users for individual hosts. To deny all such users at a special host, use:
MOSTSECUTEHOST:/etc/passwd:
...
-@dny_all::::::
+:::::::

mfG Peter

The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
Jeff_Traigle
Honored Contributor

Re: prevent access to certain hosts

Since you're using NIS, you can use netgroups to restrict logins via entries in /etc/passwd. It's been many years since I did this, but it worked well. Once you have the netgroups set up in NIS, you put entries like this in /etc/passwd:

-@nologin::-2:-2:::
+@logingroup::-2:-2:::

See netgroup(4) and passwd(4) man pages for details.
--
Jeff Traigle