HPE Community
Operating System - HP-UX
1832928 Members
2711 Online
110048 Solutions
New Discussion

restrict login based on combi MAC address and username

 
INCS Dept.
Frequent Advisor

‎01-22-2006 11:11 PM

‎01-22-2006 11:11 PM

restrict login based on combi MAC address and username

Hello,

Is there a way to restrict the logon of users based on the combination of IP adresses and usernames ?

Bye,

INCS
0 Kudos
Reply
4 REPLIES 4
Jakes Louw
Trusted Contributor

‎01-22-2006 11:19 PM

‎01-22-2006 11:19 PM

Re: restrict login based on combi MAC address and username

Why a combination? Surely restricting by way of IP address is sufficient? Or are you actually saying you want to make sure USERA logs in only from IP adddress 111.222.333.444?
That means only allowing USERA in with that IP?
Trying is the first step to failure - Homer Simpson
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎01-22-2006 11:51 PM

‎01-22-2006 11:51 PM

Re: restrict login based on combi MAC address and username

Which logon method are you using?

If you use commercial SSH from ssh.com, you can create address patterns to pick up host-specific extra configuration files, which can specify AllowUsers and/or DenyUsers directives. I think this would give you what you ask.

The standard HP-UX login methods don't seem to have this flexibility. Of course, with TCP wrappers you could create rules based on usernames... but TCPWrapper must make its decisions when the user is not yet authenticated, so you're trusting that the user is who the client's identd says.

If the user has total control over the client host, he/she can make the identd report any desired username. If there is no identd on the client host, you won't get the username. So this approach is very unreliable and can be used only between trusted hosts in a trusted network.
MK
0 Kudos
Reply
Jakes Louw
Trusted Contributor

‎01-23-2006 12:47 AM

‎01-23-2006 12:47 AM

Re: restrict login based on combi MAC address and username

You could also set up your own allow file, which will be two columnns: username and IP address.

Then you need to modify the login script for the specific shell type (/etc/csh.login, etc) to perform a "who -u" and related checks, then compare this to your allow file, and then either exit the connection or continue.
I can send the specific scripting tomorrow.
Trying is the first step to failure - Homer Simpson
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-23-2006 01:41 AM

‎01-23-2006 01:41 AM

Re: restrict login based on combi MAC address and username

There is nothing built into the login steps to do this except /etc/profile. Just after the first trap command in the standard /etc/profile, obtain the hostname/IP address using who -muR and the username with $LOGNAME or id. Then make your test inside the script. Then log the occurance of a forbidden login (see the logger command) and exit.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.