HPE Community
Operating System - HP-UX
1855754 Members
4987 Online
104103 Solutions
New Discussion

Restrictive Telnet Account

 
SOLVED
Go to solution
Mike Ingram
Occasional Advisor

‎11-20-2003 07:56 PM

‎11-20-2003 07:56 PM

Restrictive Telnet Account

Is it possible to create a login on HP-UX 11.0, that will allow a user to telnet to my machine and not be able to leave their home directory, and have access to only the commands I choose eg. ping, ftp and traceroute? If so, please point me to where I can find instructions. Thanks.
Don't be shy to ask if you don't know the answer
0 Kudos
Reply
6 REPLIES 6
Mark Grant
Honored Contributor

‎11-20-2003 08:03 PM

‎11-20-2003 08:03 PM

Solution

Re: Restrictive Telnet Account

The two options I can think of are the "restricted" shell. Check "man posix-sh" and look for "rsh" within that.

Alternatively you could get the users .profile to run "chroot" which allows you to put a logical "/" directory wherever you fancy (most usefully over the users home directory) and build a "/bin" and "/etc" etc etc under that.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Graham Cameron_1
Honored Contributor

‎11-20-2003 08:35 PM

‎11-20-2003 08:35 PM

Re: Restrictive Telnet Account

I would make their default shell the restricted shell (/usr/bin/rsh).

Have to take care they don't shell out though, even from ftp a canny user could run up a shell.

Note that when using rsh, they can only run commands in their local directory, or in their PATH (which they cannot change).

Therefore the sh-posix manpage suggests creating a /usr/rbin directory, copying your permitted commands into it, and making this the only entry in $PATH.

-- Graham
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
Reply
John Kittel
Trusted Contributor

‎11-21-2003 06:48 AM

‎11-21-2003 06:48 AM

Re: Restrictive Telnet Account

Graham already pointed you in the right direction, but see this thread ( virtually identical issue)...

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=266739

- John
Reply
Mike Ingram
Occasional Advisor

‎11-21-2003 08:59 AM

‎11-21-2003 08:59 AM

Re: Restrictive Telnet Account

Thanks Guys - this looks promising!
Don't be shy to ask if you don't know the answer
0 Kudos
Reply
Hazem Mahmoud_3
Respected Contributor

‎11-22-2003 01:17 AM

‎11-22-2003 01:17 AM

Re: Restrictive Telnet Account

There is a software out there developed by a company called Symark that does just that and more! I saw a demo of it a few months ago and it is great! It allows you to restrict certain system resources and files/directories to each user, creates an audit of all commands and activity by the user, and the best part is that you can monitor the shell (real-time) that a user is using. It is really cool! You can find info at http://www.symark.com/powerbroker.htm. They will walk you through downloading a demo and show you how it all works over the phone. It was not terribly expensive either.

Hazem
Sr. Unix Admin
0 Kudos
Reply
Mike Ingram
Occasional Advisor

‎11-22-2003 08:16 AM

‎11-22-2003 08:16 AM

Re: Restrictive Telnet Account

Hi Hazem,

Thanks for your advice, but I did what the others had suggested and it works fine for my needs. I just needed an account for our networking team to be able to test doing three commands from my host, and that's all they can now do.
To the others who offered suggestions - many thanks. It's doing the job fine. I am storing the .sh_history, so I'll hopefully see if they're trying to do anything "naughty"!!

Cheers,

Mike.
Don't be shy to ask if you don't know the answer
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.