HPE Community
Operating System - HP-UX
1834806 Members
2661 Online
110070 Solutions
New Discussion

Restricting Users who can Login

 
Alan Shearer_1
Frequent Advisor

‎09-09-2008 08:57 AM

‎09-09-2008 08:57 AM

Restricting Users who can Login

Hi,

If I've disabled Telnet and all the r-services and use the AllowGroups option in sshd_config to restrict the users who can login to only those that are a member of my new group.

Are there any other means that a user could login who is not in my ssh allowed login group?

Thanks.
0 Kudos
Reply
7 REPLIES 7
Court Campbell
Honored Contributor

‎09-09-2008 09:52 AM

‎09-09-2008 09:52 AM

Re: Restricting Users who can Login

From the console. ;)
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Paul Sperry
Honored Contributor

‎09-09-2008 10:41 AM

‎09-09-2008 10:41 AM

Re: Restricting Users who can Login

you can restrict the console to root by putting this in the .profile.

TTYCHECK=`/usr/bin/tty | cut -d \/ -f4`
if [[ "$TTYCHECK" != "console" && $(whoami) = "root" ]]
then
echo $TTYCHECK
fi
0 Kudos
Reply
Bob E Campbell
Honored Contributor

‎09-09-2008 02:41 PM

‎09-09-2008 02:41 PM

Re: Restricting Users who can Login

Personal preference, but as someone that often uses a non-root "root" I would change

$(whoami) = "root"
to
$(id -u) = "0"

or similar in the above. I would also consider having a script run that would monitor the file /var/adm/syslog/syslog.log and report any "unexpected" login attempts.
0 Kudos
Reply
Alan Shearer_1
Frequent Advisor

‎09-10-2008 12:55 AM

‎09-10-2008 12:55 AM

Re: Restricting Users who can Login

Thanks for the responses.

Not really what I was looking for though.

I am not talking about restriction of root login per se. I am talking about the control of who can login to the system by any means (excluding the console).

So with telnet and r-services disabled, I am focusing on controling ssh login access through the use of the AllowGroups option. Thus for ssh login a user will have to be in this group.

My concern is that there is a whole other angle I am not considering (other than the above) and am not controlling allowing anyone to login to the system. Can anyone think of any?

Thanks.
0 Kudos
Reply
Kenan Erdey
Honored Contributor

‎09-10-2008 01:18 AM

‎09-10-2008 01:18 AM

Re: Restricting Users who can Login

Hi,

if allowgroups exits in your sshd_config file, only users of groups( it can be user's primary or secondary group ) that listed in config file can login. users in other groups can't.

Computers have lots of memory but no imagination
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎09-10-2008 01:18 AM

‎09-10-2008 01:18 AM

Re: Restricting Users who can Login

Hi,

Disable ftp as you can use sftp.

Edit /etc/inetd.conf and comment out the ftp line, then run "inetd -c".

Regards,
Robert-Jan
0 Kudos
Reply
Alan Shearer_1
Frequent Advisor

‎09-10-2008 02:57 AM

‎09-10-2008 02:57 AM

Re: Restricting Users who can Login

Thanks again for the reponses.

I'm planning on using AllowGroups to restrict who can login based on them being a member of a group specified in sshd_config - so I know this will work for ssh.

I am worried about users being able to login via a different means (if there is one other than ssh, telnet, rlogin etc.) that I'm not addressing.

FTP is already disabled, as is TFTP. Remote x logins are disabled by an empty Xaccess file - should/can I do anything more to dtlogin?

Anyone spot anything I'm missing?

Thanks.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.