HPE Community
Operating System - HP-UX
1819806 Members
2757 Online
109607 Solutions
New Discussion

User xyz should login from from 10.xxx.xx.x server only

 
SOLVED
Go to solution
bullz
Super Advisor

‎03-18-2010 03:37 AM

‎03-18-2010 03:37 AM

User xyz should login from from 10.xxx.xx.x server only

Guruz,

I have a requirement that user “xyz” should able to login from only specific IPaddress (10.xxx.xxx.1/2/3)

Is this need to be added any entry in /etc/hosts.allow? How to archive this only for one user.
0 Kudos
6 REPLIES 6
Johnson Punniyalingam
Honored Contributor

‎03-18-2010 05:13 AM

‎03-18-2010 05:13 AM

Re: User xyz should login from from 10.xxx.xx.x server only

>>>Is this need to be added any entry in /etc/hosts.allow?<<<<

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1268917971427+28353475&threadId=1341445
Problems are common to all, but attitude makes the difference
0 Kudos
Johnson Punniyalingam
Honored Contributor

‎03-18-2010 05:26 AM

‎03-18-2010 05:26 AM

Solution

Re: User xyz should login from from 10.xxx.xx.x server only

you can also write simple script, which grep "specfic" IP for that particular user "xyz" if matches than it will allow,if not it will fail to longin, you can achieve this by ediing ".profile of "xyz"" added the scripts

# cd /home/xyz

# cp -p .profile .profile.org -> backup .profile

#vi .profile

add lines as per attached file (change IP address as per requirement)
Problems are common to all, but attitude makes the difference
0 Kudos
Horia Chirculescu
Honored Contributor

‎03-18-2010 05:32 AM

‎03-18-2010 05:32 AM

Re: User xyz should login from from 10.xxx.xx.x server only

Hello, bullz

You could disable telnet logins and use only SSH. For the user xyz you should use /usr/bin/sh shell (default in HP-UX)

Then you could modify /etc/profile (add your script at the end of this file!) in order to check for the $LOGNAME and $SSH_CLIENT value.


#---------------------------
USER=restricted_user_name
IP=allowed_IP_address_for_USER

CONNIP=`echo $SSH_CLIENT | awk '{print $1'}`

if [ "$LOGNAME" = "$USER" ] ; then
if [ "$IP" != "$CONNIP" ] ; then
echo "You do not have access from $IP."
logout
fi

fi
#---------------------------------------

If you want to let access from multiple IPs you could change thje second if (if [ "$IP" != "$CONNIP" ] ; then ...) like this:

if [ "$IP" != "$CONNIP" -o "$IP" != "$CONNIP2" -o "$IP" != "$CONNIP3" ] ; then ...

Of course, in this case you should declare the variables CONNIP2 and CONNIP3.

Best regards,
Horia.
Best regards from Romania,
Horia.
0 Kudos
Horia Chirculescu
Honored Contributor

‎03-18-2010 05:35 AM

‎03-18-2010 05:35 AM

Re: User xyz should login from from 10.xxx.xx.x server only

If you would use the user's profile like:

#cd ~user
#vi .profile

When logged in, the user can override your settings (.profile can be altered by this user).

Horia.
Best regards from Romania,
Horia.
0 Kudos
bullz
Super Advisor

‎03-18-2010 08:27 AM

‎03-18-2010 08:27 AM

Re: User xyz should login from from 10.xxx.xx.x server only

Hello all,

Following is seem to be working fine.

#############################################
FP=`who -Rm | grep prakash | awk '{print $6}'`
if [ $FP = "(xx.xx.xx.xx)" ]
then
echo "OK `hostname`"
else
echo "Not Ok for $FP"
exit
fi
#############################################
0 Kudos
bullz
Super Advisor

‎03-30-2010 03:33 AM

‎03-30-2010 03:33 AM

Re: User xyz should login from from 10.xxx.xx.x server only

Found it. Thanx all for ur replies.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.