As mentioned, telnet must connect BEFORE asking the user anything. And the program that asks the user name is login, not telnetd. So there is nothing in tcpwrappers that will help. Instead, you add the restriction in /etc/profile (or ..shudder.. /etc/csh.login). /etc/profile must be owned by root and not writable by anyone else. There must be a trap statement pair to keep users from breaking out of the /etc/profile script:
...
trap "" 1 2 3
...rest of profile...
trap 1 2 3
This tells the login shell to do nothing if the user tries to escape using CTRL-C, etc. Standard HP profile has this (see /usr/newconfig/etc/profile). In /etc/profile, near the top, create the disallowed user code. In it's simplest format:
BADUSER=billh
[ $(id -un) = $BADUSER ] && exit
Now, you may have a list of bad users in a file so the code becomes:
BADUSERFILE=/etc/baduser
if [ -r $BADUSERFILE ]
then
cat $BADUSERFILE | while read BADUSER
do
[ $(id -un) = $BADUSER ] && exit
done
fi
And you might want to log these attempts in case there is a security problem:
BADUSERFILE=/etc/baduser
if [ -r $BADUSERFILE ]
then
cat $BADUSERFILE | while read BADUSER
do
if [ $(id -un) = $BADUSER ]
then
REMOTE=$(who -muR | awk '{print $NF}')
logger -t /etc/profile -p daemon:warn "User $BADUSER tried to login from $REMOTE"
fi
done
fi
Bill Hassell, sysadmin
