Re: restricting loings based on username

Amit Dixit_2 · ‎09-20-2004

Hi,
I want to restrict login based on the
username.

i.e I want to restrict logins/telnet from
network for all except root and mylogin.

How can I do that also I want to restrict
ftp services as well.

Thanks
Amit

Bharat Katkar · ‎09-20-2004

HI Amit,
You can restrict telnet/ftp in /var/adm/inetd.sec file. See man inetd.sec.
Also you can restrict it at network/hostname level but doubt if it is possible with Usernames.
You can use you machine IP and allow it and deny for everbody else.
Regards,

You need to know a lot to actually know how little you know

R. Sri Ram Kishore_1 · ‎09-20-2004

Hi Amit,

Take a look at this thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=700431

HTH.
Regards,
Sri Ram

"What goes up must come down. Ask any system administrator."

Franky_1 · ‎09-20-2004

Hi,

you can restrict the ftp / telnet login in general using /var/adm/inetd.sec file or
/etc/ftpd/ftpusers for ftp and
/usr/bin/false as shell to prohibit telnet login

Regards

Franky

Don't worry be happy

R. Sri Ram Kishore_1 · ‎09-20-2004

Hi again,

Check these out as well:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=94744
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=93455

HTH.
Regards,
Sri Ram

"What goes up must come down. Ask any system administrator."

Muthukumar_5 · ‎09-20-2004

We can not use inetd.sec file userbased administration on login service.

We can do it with profile file as,

if [[ $LOGNAME != "root" || $LOGNAME != "mylogin" ]]
then

if [[ $(ps | grep -q telnetd) -eq 0 || $(ps | grep -q logins) -eq 0 ]]
then

echo "Telnet service to $LOGNAME is denied. Contact admin now"
sleep 3
exit 1

fi
fi

2. We can restrict ftp based on users with ftpusers file there.

See man ftpusers

Easy to suggest when don't know about the problem!

Muthukumar_5 · ‎09-20-2004

We can not use inetd.sec file, because it will be operated based on ip-address / network there. So one feasible way is to control users with the username and login service name on the /etc/profile there. So that every login will use that file to login and we can control there.

ftp service restriction will be good and easy with ftpusers file right there.

Refer this link for mroe,
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=664925

Easy to suggest when don't know about the problem!

Robert Fritz · ‎09-22-2004

I would recommend not using /etc/profile or .profile scripts to control logins. Shells have escape and meta characters that users can use to interfere with the operation of the script.

I guess I'm wondering, if you don't want the users logging in, why you can't just make their login shell /usr/bin/false(for logins, not ftp) or put a "*" in their /etc/password entry. If you chroot your ftp, then make sure you either use the ftpusers file or put a "*" in the chrooted /etc/password too.

If you want more granular control, like expiration, number of simultaneous users, etc, check out /etc/default/security. It's got a bunch of stuff.

Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin

Sundar_7 · ‎09-22-2004

Amit,

To restict network logins for the user account, you need to add some code to the /etc/profile that checks the username and kicks off it is not root or your own username.

To restrict ftp based on the login name, you need to create the /etc/ftpd/ftphosts file.

# vi /etc/ftpd/ftphosts
deny user1 *
#

Now the user user1 will not be able to login anywhere from the network.

-- Sundar

Learn What to do ,How to do and more importantly When to do ?

Mike Patterson · ‎09-22-2004

Some notes I have on this:

(Incidentally, in AIX, just touch /etc/nologin to keep users off system.)

1. One way to keep users from getting a login, etc., is to use allow and deny entries in /var/adm/inetd.sec. You can specifiy a service to allow or deny and put host names or IP addresses to control. See man on inetd.sec.

Example:
telnet deny 10.11-12
telnet allow 10.12.80.67 10.12.80.104
login deny 10.11-12
login allow 10.12.80.67

This example denies anyone from accessing the system by either rlogin (login service) or login (telnet) from the 10.11-12 network. It allows 2 specific IP address for those services.

2. Another easy way to control logins, is to put a function in a menu or /etc/profile that allows quick login, but quickly displays a message and logs the user out. I comment/uncomment this function to quickly control access.

Example function:

function no_access
{
# Allowed users:
OK_TO_LOGIN="root|mp5802"
if [ ! x`echo $LOGNAME | egrep -v $OK_TO_LOGIN` = "x" ]; then
clear
echo ""
echo ""
echo " SYSTEM IS UNAVAILABLE"
echo ""
echo ""
sleep 3
exit
fi
}
# now call the function:
no_access

Montagne_3 · ‎09-23-2004

Hi,

You can see TCP Wrappers to restrict access to your host but it is based on ip address or hostname.
With this software you can keep traces of connections and allow / deny access for ftp,telnet services.
It is free.

Laurent

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: restricting loings based on username

restricting loings based on username