Operating System - Linux
1828413 Members
3584 Online
109977 Solutions
New Discussion

Preventing telnet for non-root users

 
SOLVED
Go to solution
Jeff Ohlhausen
Frequent Advisor

Preventing telnet for non-root users

Hi,
I want to prevent users such as oracle from telnetting to the machine directly. I want to force them to su from their own userid. Does anyone know how to do this?

Thanks
Jeff
Do or do not - there is no try.
9 REPLIES 9
Darrin St. Amant
Frequent Advisor

Re: Preventing telnet for non-root users

Jeff

One of two things:

for telnet / ssh, you only need to put a valid shell in /etc/passwd to
enable telnet. if you want to disable it, put /bin/false or an invalid shell
(the first it's my regular choice. do not forget to add /bin/false to
/etc/shells if you do not have it already there)

or you can restrict through /etc/xinetd.d/telent

You really should be using SSH services and not Telnet.
Jeff Ohlhausen
Frequent Advisor

Re: Preventing telnet for non-root users

Thanks for the answer. The second directory does not exist in SuSE linux. As for editing the /etc/passwd I need users to be able to su - to the user. Just not directly.

Do you or anyone have additional suggestions?
Do or do not - there is no try.
Darrin St. Amant
Frequent Advisor

Re: Preventing telnet for non-root users

not sure i'm following you. If you force a user to not be able to telnet to the machine then how are they suppose to SU?

ds
Greg Wojtak
Advisor

Re: Preventing telnet for non-root users

you could change the password, and then set up sudo to allow each user that needs to become oracle to run 'sudo su - oracle'. Basically, it locks out the oracle account, but since they are su'ing with sudo, no su password check is needed, just the sudo password check.
Martin P.J. Zinser
Honored Contributor

Re: Preventing telnet for non-root users

Hello Jeff,

just to clarify, what you want them to do

telnet host
user:
...
su

vs
telnet host
user: root
...

is this true?

You are aware that in most cases they will be able to defeat easily whatever you setup to force them to do things your way if they have root access, aren't you?

Greetings, Martin

P.S. To disable root access, check if you have /etc/securettys. If yes, replace it with an empty file
Stuart Browne
Honored Contributor
Solution

Re: Preventing telnet for non-root users

The way I read it is that the users don't need to get root access but 'oracle' user access.

So basically you want the 'oracle' user to be a root-like account without direct logins, only accessable from secure TTY's, or from 'su'.

Sounds like a job for Super 'PAM'! ..

I'd really like to say 'pam is your friend', but it is really a pain in the ass ;)

Try adding an entry to your '/etc/security/access.conf' similar to:

-:oracle:ALL

And modifying '/etc/pam.d/login' to have a line similar to:

account required /lib/security/pam_access.so

This should say that the 'oracle' account can't login, but will still be able to su'd too.
One long-haired git at your service...
Mobeen_1
Esteemed Contributor

Re: Preventing telnet for non-root users

I think what Jeff is asking for is to prevent some generic account users (like Oracle) from logging into his system via telnet. Since the oracle account is shared by more than 1 user, he is probably looking at implementing su for such generic accounts.

Jeff,
I think this is one of the most common question i am seeing on these forums. I would suggest that you review the link below and let us know if you have any specific questions

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=469590

rgds
Mobeen
SureshKumar_2
Valued Contributor

Re: Preventing telnet for non-root users

Hi Jeff

check file
*) /etc/securetty
*) /etc/security/access.conf

Hope this url will help u further, related to suse.

http://www.linuxquestions.org/questions/history/166670


Things are very easy, when u know about it...
Jeff Ohlhausen
Frequent Advisor

Re: Preventing telnet for non-root users

Everyone,
First of all thanks for all your help. To clarify I wanted to prevent remote logins to users such as oracle but I still wanted to be able to su to the same user. The oracle user is still required to perform tasks but I wanted to track who was using the user.

The answer that solved my problem was from Stuart! Thanks
Jeff
Do or do not - there is no try.