HPE Community
Operating System - Linux
1828490 Members
2179 Online
109978 Solutions
New Discussion

How to limit a specific user's login from a specific system?

 
Bolek Mynarski
Frequent Advisor

‎03-31-2003 01:20 PM

‎03-31-2003 01:20 PM

How to limit a specific user's login from a specific system?

The subject is a bit long. Let me explain what I am trying to do:

We have an application running on a Linux system that uses a non-expiry account to log on to a trusted HP-UX 11.00i system (telnet).

The password is weak. So, to limit a possible attack, I want to limit this user to be able to login only from a specific location to HP-UX 11.00i. What I am looking for is something similar to the way one can limit who can dial in to HP-UX.

Is is possible using standard HP-UX tools short of writing a little shell script?

Thanks.
It'snever too late to learn new things...
0 Kudos
Reply
6 REPLIES 6
Goran Koruga
Honored Contributor

‎04-01-2003 04:28 AM

‎04-01-2003 04:28 AM

Re: How to limit a specific user's login from a specific system?

Hi.

Not sur eif I understand it correctly, but tcpd allows you to match based on user@host syntax. It relies on ident/auth daemon to get username, and that's far too easy to spoof.

See man hosts_access for details.

Goran
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎04-01-2003 05:19 AM

‎04-01-2003 05:19 AM

Re: How to limit a specific user's login from a specific system?

As indicated above host_access is probably what you desire in a LINUX box. Here's a older man page.

http://www.hmug.org/man/5/hosts_access.html

But you are indicating, "...I want to limit this user to be able to login only from a specific location to HP-UX 11.00i...."

...and in HP-UX its the inetd.sec file. Refer to the :

www.docs.hp.com website.

I'd provide the link for you but the site seems to be down at the moment.

Support Fatherhood - Stop Family Law
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎04-01-2003 07:48 AM

‎04-01-2003 07:48 AM

Re: How to limit a specific user's login from a specific system?

use, install tcpwrapers /etc/hosts.deny /etc/hosts.allow
legionx
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎04-01-2003 06:31 PM

‎04-01-2003 06:31 PM

Re: How to limit a specific user's login from a specific system?

Here are those links as promised. The first is a man page:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90682/B2355-90682_top.html&con=/hpux/onlinedocs/B2355-90682/00/02/284-con.html&toc=/hpux/onlinedocs/B2355-90682/00/02/284-toc.html&searchterms=inetd.sec&queryid=20030401-192412

Here is a good overall security document with a very good example of inetd.sec:

http://forums.itrc.hp.com/cm/components/FileAttachment/0,,0xab4135a43b46d71190080090279cd0f9,00.doc

There is also Bastion for the really uptight:

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-02-2003 07:05 AM

‎04-02-2003 07:05 AM

Re: How to limit a specific user's login from a specific system?

Here is an example /var/adm/inetd.sec file which you can use as a template to limit logins from the Linux box.

dtspc allow 127.0.0.1 loopback tzfat

ftp allow 10.1.* 10.1.11.* jufprod tzfat hebron jufdev
tftp allow 192.168.* 10.1.* jufprod jufdev hebron moriah
login allow 10.1.* 10.75.* 10.1.31.* 10.4* jufprod hebron moriah juf
dev
telnet allow 10.1.* 10.75.* 10.1.31.* 10.4* jufprod hebron moriah juf
dev


You might also Secure shell. It can be installed on the HP and Linux side. I'm attaching a cookbook on how to set up password free connections. I have tested it Linux to HP and HP to Linux. It works.

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jose Antonio Orozco
Frequent Advisor

‎04-02-2003 09:21 AM

‎04-02-2003 09:21 AM

Re: How to limit a specific user's login from a specific system?

you can put some like this on /etc/profile, and configure valid IP's or host per user in their homes (maybe writable only by root)

IPADDRESS=`who -mu | awk '{print $8}' `
export IPADDRESS
if [ -r $HOME/IPADDRESS.VALID
] then
grep $IPADDRESS $HOME/IPADDRESS.VALID
#
:
:
fi
test conditions, exit code 0 would be a ip valid for the user. you could write an a syslog message if source isn't valid and process logout with a single "Access Denied" message

instead of putting a file in each home directory, you could first test the existence of the valid hosts file IPADDRESS.VALID and proced if exists
What is not backed up, it not exists
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.