Operating System - Linux
1828490 Members
2179 Online
109978 Solutions
New Discussion

How to limit a specific user's login from a specific system?

 
Bolek Mynarski
Frequent Advisor

How to limit a specific user's login from a specific system?

The subject is a bit long. Let me explain what I am trying to do:

We have an application running on a Linux system that uses a non-expiry account to log on to a trusted HP-UX 11.00i system (telnet).

The password is weak. So, to limit a possible attack, I want to limit this user to be able to login only from a specific location to HP-UX 11.00i. What I am looking for is something similar to the way one can limit who can dial in to HP-UX.

Is is possible using standard HP-UX tools short of writing a little shell script?

Thanks.
It'snever too late to learn new things...
6 REPLIES 6
Goran Koruga
Honored Contributor

Re: How to limit a specific user's login from a specific system?

Hi.

Not sur eif I understand it correctly, but tcpd allows you to match based on user@host syntax. It relies on ident/auth daemon to get username, and that's far too easy to spoof.

See man hosts_access for details.

Goran
Michael Steele_2
Honored Contributor

Re: How to limit a specific user's login from a specific system?

As indicated above host_access is probably what you desire in a LINUX box. Here's a older man page.

http://www.hmug.org/man/5/hosts_access.html

But you are indicating, "...I want to limit this user to be able to login only from a specific location to HP-UX 11.00i...."

...and in HP-UX its the inetd.sec file. Refer to the :

www.docs.hp.com website.

I'd provide the link for you but the site seems to be down at the moment.

Support Fatherhood - Stop Family Law
Jairo Campana
Trusted Contributor

Re: How to limit a specific user's login from a specific system?

use, install tcpwrapers /etc/hosts.deny /etc/hosts.allow
legionx
Michael Steele_2
Honored Contributor

Re: How to limit a specific user's login from a specific system?

Steven E. Protter
Exalted Contributor

Re: How to limit a specific user's login from a specific system?

Here is an example /var/adm/inetd.sec file which you can use as a template to limit logins from the Linux box.

dtspc allow 127.0.0.1 loopback tzfat

ftp allow 10.1.* 10.1.11.* jufprod tzfat hebron jufdev
tftp allow 192.168.* 10.1.* jufprod jufdev hebron moriah
login allow 10.1.* 10.75.* 10.1.31.* 10.4* jufprod hebron moriah juf
dev
telnet allow 10.1.* 10.75.* 10.1.31.* 10.4* jufprod hebron moriah juf
dev


You might also Secure shell. It can be installed on the HP and Linux side. I'm attaching a cookbook on how to set up password free connections. I have tested it Linux to HP and HP to Linux. It works.

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Jose Antonio Orozco
Frequent Advisor

Re: How to limit a specific user's login from a specific system?

you can put some like this on /etc/profile, and configure valid IP's or host per user in their homes (maybe writable only by root)

IPADDRESS=`who -mu | awk '{print $8}' `
export IPADDRESS
if [ -r $HOME/IPADDRESS.VALID
] then
grep $IPADDRESS $HOME/IPADDRESS.VALID
#
:
:
fi
test conditions, exit code 0 would be a ip valid for the user. you could write an a syslog message if source isn't valid and process logout with a single "Access Denied" message

instead of putting a file in each home directory, you could first test the existence of the valid hosts file IPADDRESS.VALID and proced if exists
What is not backed up, it not exists