Operating System - HP-UX
1833875 Members
1985 Online
110063 Solutions
New Discussion

Re: Restricting telnet to local host

 
Paul J. Ledbetter, II
Frequent Advisor

Restricting telnet to local host

Hi,
I've read as many of the other posts as I could on this subject but I can't find (or identify) anything that fits my specific application. I have a user that needs to telnet to a specific server (HP9000, HP-UX 11i). Once logged in, I want to prevent that one particular user from being able to again telnet or ftp to anything else. Mind, I'm concerned with all other telnet-able devices on my network, not just other UNIX hosts. In other words, I want to deny the ability to telnet out for this user only. How can I do this?
I may not know everything, but I'm working on it...
5 REPLIES 5
RAC_1
Honored Contributor

Re: Restricting telnet to local host

On all the servers where you do not him to login, put code in /etc/profile

[[ ${logname} = "user_name" ]] && "echo logouot;exit 0"

Anil
There is no substitute to HARDWORK
Mic V.
Esteemed Contributor

Re: Restricting telnet to local host

How about restricted shell (rsh)? Put this account in a restricted environment and just don't provide telnet or ftp as commands. Depends on how many other things the login needs to do.

Another possiblity is (I haven't investigated this) changing the group permissions on the telnet and ftp executables such that he can't get to them -- probably not a very good solution, since he may be able to just get the executable elsewhere, etc etc... but...

Mic
What kind of a name is 'Wolverine'?
Paul J. Ledbetter, II
Frequent Advisor

Re: Restricting telnet to local host

RAC,
Your solution won't work with a Perle terminal server or an HP Jetdirect. I want this user to not be able to use the telnet command once he is logged in to this particular host.

Mic V:
I've never done an rsh before, but that idea may hold promise. I'll certainly look it up, but if you can give me the Condensed Version I'd sure appreciate it!

I may not know everything, but I'm working on it...
Biswajit Tripathy
Honored Contributor

Re: Restricting telnet to local host

As you probably realized by now, this is a little
difficult thing to do. So you might want to rethink
the whole issue and redefine your problem. One
possible solutions (ofcourse, you need to decide if
they solve your problem) I can think of is:

When this user logs into your server (let call it
server-A) and stays loged in, you could block all
out-going connections requests from server-A to all
other machines. Some other user can login into
server-A, but can't telnet to a 3rd server from
server-A. If this solution is acceptable, then you
could use IPFilter to achieve this.

- Biswajit

:-)
Mic V.
Esteemed Contributor

Re: Restricting telnet to local host

Basically, the idea is that you change the shell to "rsh" (a restricted
variant of posix shell), make a directory full of commands they can use,
and edit the login environment to make use of it. Sounds easy, but it
can get quite complicated if it's more than a fairly trivial login.

Of course, you do NOT want to give them "vi" or anything else with
a shell escape.

The man page really is useful (sorry, not telling you to RTFM! :-):

http://www.docs.hp.com/en/B2355-60103/sh-posix.1.html

Some other interesting reading:
- http://newfdawg.com/SHP-RestShell
- http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=191408
- http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=737077

HTH.

Mic
What kind of a name is 'Wolverine'?