HPE Community
Operating System - HP-UX
1827771 Members
2674 Online
109969 Solutions
New Discussion

Restrict specific user from telnet session with c shell

 
SOLVED
Go to solution
shardam
Frequent Advisor

‎09-20-2007 09:27 PM

‎09-20-2007 09:27 PM

Restrict specific user from telnet session with c shell

Hi,

I appreciate if someone has encountered to restrict particular user from telnet with c shell. This user must only be used by "su" from the normal users (switch only). I tried to create a script under .cshrc and even from .login but still bypassing it and user can still login directly. The requirements must only restrict this user to login directly by telnet and normal users must do su to this restricted user(telnet). My client is using telnet and they haven't ssh implemented, kinda weird =) as already suggested but still stick to telnet =). Thank you for the sharing of your comments!
0 Kudos
Reply
16 REPLIES 16
Aussan
Respected Contributor

‎09-21-2007 01:40 AM

‎09-21-2007 01:40 AM

Re: Restrict specific user from telnet session with c shell

make his shell false

Make the default-shell for the user /usr/bin/false
be sure this is in the /etc/shells file.

The tongue weighs practically nothing, but so few people can hold it
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎09-21-2007 01:48 AM

‎09-21-2007 01:48 AM

Re: Restrict specific user from telnet session with c shell

/usr/bin/false for the shell will lock out the direct connection but it will also cause su with a "-" to fail.

Another option mentioned many times in these forums is shutdown telnet and use ssh. the ssh daemon can controll direct logins.

If really adventurous you could play with writing a wrapper around the telnet daemon. i.e. check black list then fire off telnet

Another option is to put the black list check in /etc/profile. At least the users could not circumvent this profile in liue of their own.

pssst....Don't lock yourself off the system while testing..
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎09-21-2007 01:49 AM

‎09-21-2007 01:49 AM

Re: Restrict specific user from telnet session with c shell

One other note. If you wrap the telnetd beware that it would most likely be overwritten with a patch load.
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎09-21-2007 01:50 AM

‎09-21-2007 01:50 AM

Re: Restrict specific user from telnet session with c shell

Hi Alfredo,

See KB doc "HP-UX telnet - How to Restrict Telnet Access by User" - http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1


There are many examples to restict users.


regards,
ivan
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎09-21-2007 01:50 AM

‎09-21-2007 01:50 AM

Re: Restrict specific user from telnet session with c shell

Hi Alfredo,

See KB doc "HP-UX telnet - How to Restrict Telnet Access by User" - http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1


There are many examples how to restrict users.


regards,
ivan
0 Kudos
Reply
larsoncu
Advisor

‎09-21-2007 02:18 AM

‎09-21-2007 02:18 AM

Solution

Re: Restrict specific user from telnet session with c shell

don't know if this is the suggested doc being i can't read it.

but if the user is su'ing, when you do a who -um it will display the user you login as. therefore if you logged as a different user and su'ed then whoami and who -um will be different. if whoami and who -um are the same you probably telneted in.

could put this in the /etc/login ? (whatever is used by csh) to test the values and don't allow access if they are the same.
Reply
shardam
Frequent Advisor

‎09-23-2007 05:23 PM

‎09-23-2007 05:23 PM

Re: Restrict specific user from telnet session with c shell

Hi All,

Sorry for my delay reply, however:

Aussan, modify shell with /usr/bin/false will disable the user totally even if you will do "su/su -"

Tim, tcp wrapper based from my experience with this service tool, as far as i know it will restrict only the specific users from a certain services/daemons but this can work only to restrict certain hosts,ips/subnets from host.deny/allows files. Take note this user is using csh shell and i dont think it's using /etc/profile (applicable ony with posix/bourne shells) but it's /etc/csh.login, the requirement from this dba user is to restrict direct telnet, I made some script from this user's profile (.cshr/.login) but still bypasing my script.
Is it possible from tct wrapper to restrict certain user to access from daemon/services?

Iva, sorry no access from HP Europe ITRC site but only ASIPAC =) but let me try to register there later. Would appreciate if you can attach from here.

Thanks again for your support but our clients since from the start they already using this logins sevice and most of them implemented in the production systems and already suggested to use ssh instead =(
0 Kudos
Reply
OldSchool
Honored Contributor

‎09-24-2007 02:26 AM

‎09-24-2007 02:26 AM

Re: Restrict specific user from telnet session with c shell

Same doc as above, except America/Asia Pacific site:


http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00843266-1
0 Kudos
Reply
TY 007
Honored Contributor

‎09-24-2007 02:39 PM

‎09-24-2007 02:39 PM

Re: Restrict specific user from telnet session with c shell

Hello Alfredo,

Workaround: /var/adm/inetd.sec

Thanks




0 Kudos
Reply
shardam
Frequent Advisor

‎09-25-2007 03:04 PM

‎09-25-2007 03:04 PM

Re: Restrict specific user from telnet session with c shell

Hi TY, /var/adm/inetd.sec can not restrict particular user to deny from telnet login sessions but can only work to allow/deny certain address/hosts from services.

Has anyone encountered this same concern of mine, restricting user with c shell to deny direct login from telnet session but su is enable from it? Highest points will be rewarded =)
0 Kudos
Reply
shardam
Frequent Advisor

‎09-25-2007 06:33 PM

‎09-25-2007 06:33 PM

Re: Restrict specific user from telnet session with c shell

Hi sorry to mention about tcp wrapper that this can able to deny specific user from service being use but this can only restrict certain hosts/ips based from host.allow/deny.
0 Kudos
Reply
AwadheshPandey
Honored Contributor

‎09-25-2007 07:27 PM

‎09-25-2007 07:27 PM

Re: Restrict specific user from telnet session with c shell

http://www.cites.uiuc.edu/wsg/resources/security/hpux.html#login
http://www.blacksheepnetworks.com/security/resources/sec_HPUX.html
here is a good thing for you. try it it should work.
http://www.brandonhutchinson.com/restricting_user_access.html

cheers.
It's kind of fun to do the impossible
0 Kudos
Reply
OldSchool
Honored Contributor

‎09-26-2007 05:06 AM

‎09-26-2007 05:06 AM

Re: Restrict specific user from telnet session with c shell

alfredo,

as noted above, you will need to look at the difference between what "who am i" and "whoami" return. "whoami" will return the id of the current effective user (the one you su'd to), while "who am i" will return the id you came from.

if the result of "whoami" is a user that should not telnet directly, you then need to check if the user returned by "who am i" is different. If not, block the login, if so they can proceed. The logic itself should probably go in /etc/csh.login. Note that you will then have to maintain the list of prohibitted users somewhere.

As to the actual code to do that, you're on your own, as I haven't seen a csh script in years.

Unless there are overwhelming reasons not to, users of csh should consider moving to other shells like /bin/sh (posix), /usr/bin/ksh, bash or others. You might look at:

http://www.faqs.org/faqs/unix-faq/shell/csh-whynot

for more info.
Reply
shardam
Frequent Advisor

‎09-26-2007 06:18 PM

‎09-26-2007 06:18 PM

Re: Restrict specific user from telnet session with c shell

Hi Oldschool,

Thank you very much for the idea of difference between these whoami/who am i, as I finally created one simple script under c shell and appended this to .login of the profile of each restricted users and it was successfully work. The users are now restricted thru direct login of telnet/even ssh and can only login from su/su - from normal users. Again, thanks to all ;-)

Regards,
Alfred
0 Kudos
Reply
OldSchool
Honored Contributor

‎09-27-2007 03:23 AM

‎09-27-2007 03:23 AM

Re: Restrict specific user from telnet session with c shell

You're welcome Alfredo, although the credit should go to "larsoncu" as he had suggested it in a post earlier in this thread.

also, please award points and close thread if the issue has been resolved.

see: http://forums1.itrc.hp.com/service/forums/helptips.do?#33
0 Kudos
Reply
shardam
Frequent Advisor

‎09-30-2007 09:23 PM

‎09-30-2007 09:23 PM

Re: Restrict specific user from telnet session with c shell

Thanks again, guys!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.