HPE Community
Operating System - HP-UX
1754412 Members
3461 Online
108813 Solutions
New Discussion юеВ

restricted telnet access

 
SOLVED
Go to solution
Carsten Drzensky
Occasional Contributor

тАО01-23-2001 03:24 AM

тАО01-23-2001 03:24 AM

restricted telnet access

Hi,

Although I am working with Unix now for three years (which is not very much) I am coming right now to the system administration of our HP9000 which is really new to me.

We have several applications running on our HP-UX 11.0 system which are used and accessed by several people via the LAN/WAN.
To have a better possibility of logging users and their activities I would like to disable the Unix user accounts where the apps are isntalled and have one account for each user who should do a "su - " then.

Could You please help me in setting this up as I cannot really find something about this in the documentation?

Thanks in advance!


Regards,

Peter
0 Kudos
Reply
11 REPLIES 11
Victor BERRIDGE
Honored Contributor

тАО01-23-2001 03:47 AM

тАО01-23-2001 03:47 AM

Re: restricted telnet access

Hi,
I suppose the easiest would be to install and use sudo: You will not have to fight with shells configs etc...
You will not have to give the passwd of your application UID, you could configure sudo so it su them with the command without passwd asked...

Good luck

Victor
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-23-2001 04:22 AM

тАО01-23-2001 04:22 AM

Re: restricted telnet access

If the users have no need for a shell prompt (that is, their work is dedicated to a specific application), then change the user's shell to the application, or if the app needs a certain environment, a shell wrapper that only starts the application and exits when it is done. Just change /etc/passwd for each user's shell.


Bill Hassell, sysadmin
0 Kudos
Reply
Carsten Drzensky
Occasional Contributor

тАО01-23-2001 04:46 AM

тАО01-23-2001 04:46 AM

Re: restricted telnet access

Thanks for the fast replies!

The users will need Shell access so logging them directly into the application will not work on our system.

I had a quick look at sudo and it looks really nice. What I still wonder is how I can use sudo to prevent specific users logging on via telnet. Will sudo deny the connection when configured properly? (If yes would it be possible to have an example configuration for this?)

Peter
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

тАО01-23-2001 07:12 AM

тАО01-23-2001 07:12 AM

Re: restricted telnet access

The idea is the user has to connect himself first since he doesnt know the passwd of the app-user, and has to use sudo...

You can trace the sudo activity because it will be logged in /var/adm/syslog/syslog.log:
COMMAND=/usr/bin/su - dbatram -c save_export_dbid 2WEEKS 2001.01.12
Jan 12 23:38:57 caph syslog: su : + tty?? root-dbatram
Jan 12 23:50:01 caph sudo: opertopa : TTY=unknown ; PWD=/home/opertopa ; USER=root ;
COMMAND=/usr/bin/su - dbatopa -c save_config_dbid


Good luck
Victor
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

тАО01-23-2001 07:19 AM

тАО01-23-2001 07:19 AM

Re: restricted telnet access

Hi,
I remembered that I used the source and compiled sudo myself in order for it to do what I wanted, I cant remember what was wrong with the one from the porting center, it was maybe timeout limit and asking passwd issue...

Best regards
Victor
0 Kudos
Reply
Paul te Vaanholt
Occasional Advisor

тАО01-24-2001 12:21 AM

тАО01-24-2001 12:21 AM

Re: restricted telnet access

Hi,

The easiest way to prevent a direct telnet or ftp session for a specific user is by changing the password field to '*'. On a normal system this can be done in /etc/passwd, on a trusted system you can find the file in /tcb/files/auth. Setting the password field (not the password, but the field) to '*' will still allow su, rcp, rlogin, cron scripts etc.

Good luck and regards,

Paul te Vaanholt
HP Consulting
0 Kudos
Reply
Luiz Fernando de Andrad
Advisor

тАО01-24-2001 04:54 AM

тАО01-24-2001 04:54 AM

Re: restricted telnet access

1. you can restrict access to any inetd service (as telnetd, ftpd, etc) using /etc/hosts.allow and /etc/hosts.deny

2. you can put all useres who can access de aplication on a group (/etc/group). Then you can check on login script ( /etc/profile )

[ `id | grep -c "xxx=(nnn)"` != 1 ] && exit

where xxx is the group ID and nnn is the group name
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО01-24-2001 07:23 AM

тАО01-24-2001 07:23 AM

Re: restricted telnet access

You can also restrict access to hosts via /var/adm/inetd.sec file. Do a 'man inetd.sec' for more information. Inetd.sec allows you to allow all hosts to connect, but deny certain ones, or deny all hosts but allow certain ones.
0 Kudos
Reply
Darren Miller
Advisor

тАО01-24-2001 08:10 AM

тАО01-24-2001 08:10 AM

Solution

Re: restricted telnet access

Two parts to this answer:

1) How do I prevent certain users from loggin ing in via telnet?

Add a few lines in the ~/.profile script belonging to the user you want to lock out. The following code snippet seems to work:

if ps -f | grep -q [t]elnetd; then
echo "telnet access not allowed"
exit 99
fi

This code immediately terminates telnet logins, but allows CDE and local logins to succeed.

2) How do I grant non-root users root access to execute selected commands?

I concur with the previous postings: sudo is the tool you need. I installed it from http://hpux.cs.utah.edu/ before with great success.

Hope that helps!
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.