HPE Community
Operating System - HP-UX
1825785 Members
2054 Online
109687 Solutions
New Discussion

Re: Restricted rlogin or telnet

 
SOLVED
Go to solution
CKT
Advisor

‎01-18-2001 05:04 PM

‎01-18-2001 05:04 PM

Restricted rlogin or telnet

I want to limit certain users to rlogin to my server based on user name. What is the best way to implement this? Ideally when a banned user tries to rlogin my server will return a message saying that he is banned from this machine. Thanks for your help in advance.
You can't turn back the clock, but you can always rewind it again.
0 Kudos
Reply
5 REPLIES 5
Steffi Jones_1
Esteemed Contributor

‎01-18-2001 07:31 PM

‎01-18-2001 07:31 PM

Re: Restricted rlogin or telnet

Hi Jules,

I might be missing a piece of information, but if you don't want some users to login to the box, don't give them an account on it.
That would be the easiest and safest way of keeping users of a system (and don't give out the root password)
If you want to restrict access from a box in your net, have a look at the file /var/adm/inetd.sec

Hope that was not a too simple answer :-)

Steffi Jones
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎01-18-2001 08:33 PM

‎01-18-2001 08:33 PM

Re: Restricted rlogin or telnet

If there is a reason you can not remove the ID, I.E. NIS domain is not yours, etc.... Then there are two options.
1. Read up on inetd.sec via man pages or HP-UX instant information.
2. Add some goodies to /etc/profile like
I_AM=`/usr/bin/whoami`
if [ "${I_AM}" = "julie" ] ; then
echo "Sorry your bannished from my kingdom..."
sleep 2
exit
fi
This will kick them out at login.

If you can remove from passwd then remove them and be done! :)

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Dan Hetzel
Honored Contributor

‎01-18-2001 11:55 PM

‎01-18-2001 11:55 PM

Re: Restricted rlogin or telnet

Hi Jules,

I agree with Steffi and Shannon as the easiest thing would be to remove them from the password file.
If you need to keep the user ID's for any reason, you may simply deactivate the account by putting an asterisk in the password field (second field, normally 13 characters long)

As no password will encrypt to a single asterisk, these user ID's won't be usable to log in.

An alternate solution would be a simple code in your /etc/profile file like Shannon suggested.

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎01-19-2001 01:00 AM

‎01-19-2001 01:00 AM

Solution

Re: Restricted rlogin or telnet

Hi,

As you can see there are special ways of banning users:
- inetd.sec
All of the internet services controlled by inetd (including telnet
and rlogin) have their access controlled by the security file
/var/adm/inetd.sec. To restrict or allow particular access, specifically list the service to be restricted, denied, or allowed. Then list specific IP addresses for individual hosts or use network addresses to deny or allow entire networks. Check the man pages on inetd.sec for more information on the
format of the file. The following is an example that will allow everything on
the 15.56 subnet and the single host 192.13.12.1 to telnet in.
Telnet sessions from all other hosts will be denied: telnet allow 15.56.* 192.13.12.1

- Users profile:
modify the users .profile in his home-directory
- /etc/profile
Make a file with a list of users you want to deny. Then modify the /etc/profile to check this file first and then log them off with a message. This you can do when you don't or not able to change the password file.

Good Luck

Darrel



Reply
Ashish Palkhiwala
Occasional Advisor

‎01-31-2001 08:13 AM

‎01-31-2001 08:13 AM

Re: Restricted rlogin or telnet

Just a thought,

How about setting up a host.equiv and .rhosts mechanism

Good luck
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.