HPE Community
Operating System - HP-UX
1822148 Members
4273 Online
109640 Solutions
New Discussion юеВ

restricting loings based on username

 
SOLVED
Go to solution
Amit Dixit_2
Regular Advisor

тАО09-20-2004 07:55 PM

тАО09-20-2004 07:55 PM

restricting loings based on username

Hi,
I want to restrict login based on the
username.

i.e I want to restrict logins/telnet from
network for all except root and mylogin.

How can I do that also I want to restrict
ftp services as well.

Thanks
Amit
0 Kudos
Reply
10 REPLIES 10
Bharat Katkar
Honored Contributor

тАО09-20-2004 08:01 PM

тАО09-20-2004 08:01 PM

Re: restricting loings based on username

HI Amit,
You can restrict telnet/ftp in /var/adm/inetd.sec file. See man inetd.sec.
Also you can restrict it at network/hostname level but doubt if it is possible with Usernames.
You can use you machine IP and allow it and deny for everbody else.
Regards,
You need to know a lot to actually know how little you know
0 Kudos
Reply
R. Sri Ram Kishore_1
Respected Contributor

тАО09-20-2004 08:06 PM

тАО09-20-2004 08:06 PM

Re: restricting loings based on username

Hi Amit,

Take a look at this thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=700431

HTH.
Regards,
Sri Ram
"What goes up must come down. Ask any system administrator."
0 Kudos
Reply
Franky_1
Respected Contributor

тАО09-20-2004 08:11 PM

тАО09-20-2004 08:11 PM

Re: restricting loings based on username

Hi,

you can restrict the ftp / telnet login in general using /var/adm/inetd.sec file or
/etc/ftpd/ftpusers for ftp and
/usr/bin/false as shell to prohibit telnet login

Regards

Franky
Don't worry be happy
0 Kudos
Reply
R. Sri Ram Kishore_1
Respected Contributor

тАО09-20-2004 08:12 PM - last edited on тАО09-16-2024 02:20 AM by

тАО09-20-2004 08:12 PM - last edited on тАО09-16-2024 02:20 AM by

Re: restricting loings based on username

Hi again,

Check these out as well:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=94744
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=93455

HTH.
Regards,
Sri Ram
"What goes up must come down. Ask any system administrator."
0 Kudos
Reply
Muthukumar_5
Honored Contributor

тАО09-20-2004 08:12 PM

тАО09-20-2004 08:12 PM

Solution

Re: restricting loings based on username

We can not use inetd.sec file userbased administration on login service.

We can do it with profile file as,

if [[ $LOGNAME != "root" || $LOGNAME != "mylogin" ]]
then

if [[ $(ps | grep -q telnetd) -eq 0 || $(ps | grep -q logins) -eq 0 ]]
then

echo "Telnet service to $LOGNAME is denied. Contact admin now"
sleep 3
exit 1

fi
fi

2. We can restrict ftp based on users with ftpusers file there.

See man ftpusers

Easy to suggest when don't know about the problem!
Reply
Muthukumar_5
Honored Contributor

тАО09-20-2004 08:29 PM

тАО09-20-2004 08:29 PM

Re: restricting loings based on username

We can not use inetd.sec file, because it will be operated based on ip-address / network there. So one feasible way is to control users with the username and login service name on the /etc/profile there. So that every login will use that file to login and we can control there.

ftp service restriction will be good and easy with ftpusers file right there.

Refer this link for mroe,
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=664925
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Robert Fritz
Regular Advisor

тАО09-22-2004 03:31 AM

тАО09-22-2004 03:31 AM

Re: restricting loings based on username

I would recommend not using /etc/profile or .profile scripts to control logins. Shells have escape and meta characters that users can use to interfere with the operation of the script.

I guess I'm wondering, if you don't want the users logging in, why you can't just make their login shell /usr/bin/false(for logins, not ftp) or put a "*" in their /etc/password entry. If you chroot your ftp, then make sure you either use the ftpusers file or put a "*" in the chrooted /etc/password too.

If you want more granular control, like expiration, number of simultaneous users, etc, check out /etc/default/security. It's got a bunch of stuff.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Sundar_7
Honored Contributor

тАО09-22-2004 03:38 AM

тАО09-22-2004 03:38 AM

Re: restricting loings based on username

Amit,

To restict network logins for the user account, you need to add some code to the /etc/profile that checks the username and kicks off it is not root or your own username.

To restrict ftp based on the login name, you need to create the /etc/ftpd/ftphosts file.

# vi /etc/ftpd/ftphosts
deny user1 *
#

Now the user user1 will not be able to login anywhere from the network.

-- Sundar
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Mike Patterson
Frequent Advisor

тАО09-22-2004 04:24 AM

тАО09-22-2004 04:24 AM

Re: restricting loings based on username

Some notes I have on this:

(Incidentally, in AIX, just touch /etc/nologin to keep users off system.)

1. One way to keep users from getting a login, etc., is to use allow and deny entries in /var/adm/inetd.sec. You can specifiy a service to allow or deny and put host names or IP addresses to control. See man on inetd.sec.

Example:
telnet deny 10.11-12
telnet allow 10.12.80.67 10.12.80.104
login deny 10.11-12
login allow 10.12.80.67

This example denies anyone from accessing the system by either rlogin (login service) or login (telnet) from the 10.11-12 network. It allows 2 specific IP address for those services.

2. Another easy way to control logins, is to put a function in a menu or /etc/profile that allows quick login, but quickly displays a message and logs the user out. I comment/uncomment this function to quickly control access.

Example function:

function no_access
{
# Allowed users:
OK_TO_LOGIN="root|mp5802"
if [ ! x`echo $LOGNAME | egrep -v $OK_TO_LOGIN` = "x" ]; then
clear
echo ""
echo ""
echo " SYSTEM IS UNAVAILABLE"
echo ""
echo ""
sleep 3
exit
fi
}
# now call the function:
no_access


0 Kudos
Reply
Montagne_3
New Member

тАО09-23-2004 10:14 AM

тАО09-23-2004 10:14 AM

Re: restricting loings based on username

Hi,

You can see TCP Wrappers to restrict access to your host but it is based on ip address or hostname.
With this software you can keep traces of connections and allow / deny access for ftp,telnet services.
It is free.

Laurent
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.