Restricting telnet access

Restricting telnet access

Post by Matt Yahn » Wed, 08 Aug 2001 01:00:25



I need to be able to set up our servers to restrict telnet access from
everyone but a few admins.  On our Solairs 2.6 boxes, we had a script called
"restrict.user" that would tell anyone that is not in the list of good users
that they cannot log in.  I can't figure out how the 2.6 box knows to use
this file.  The person that made the script is long gone.

So, basically, I just need to know the best way to restrict telnet access.
Whether it is with this script, or something else.

Thanks.

- Matt

 
 
 

Restricting telnet access

Post by zhefu.. » Wed, 08 Aug 2001 03:10:47


Hi

How about if you disable those restrict users, or you can change their shell to
/bin/false, they still can ftp but no telnet

Zhefu Fan


> I need to be able to set up our servers to restrict telnet access from
> everyone but a few admins.  On our Solairs 2.6 boxes, we had a script called
> "restrict.user" that would tell anyone that is not in the list of good users
> that they cannot log in.  I can't figure out how the 2.6 box knows to use
> this file.  The person that made the script is long gone.

> So, basically, I just need to know the best way to restrict telnet access.
> Whether it is with this script, or something else.

> Thanks.

> - Matt


 
 
 

Restricting telnet access

Post by Robert Sherma » Tue, 07 Aug 2001 19:40:50



> Hi

> How about if you disable those restrict users, or you can change their shell to
> /bin/false, they still can ftp but no telnet

> Zhefu Fan


> > I need to be able to set up our servers to restrict telnet access from
> > everyone but a few admins.  On our Solairs 2.6 boxes, we had a script called
> > "restrict.user" that would tell anyone that is not in the list of good users
> > that they cannot log in.  I can't figure out how the 2.6 box knows to use
> > this file.  The person that made the script is long gone.

> > So, basically, I just need to know the best way to restrict telnet access.
> > Whether it is with this script, or something else.

> > Thanks.

> > - Matt

if possible, use ssh with an AllowUsers line in the conf file, and turn
off telnet.

or use tcp wrappers, if you have to use telnet.

--
robert sherman
css, cee
georgia institute of technology
atlanta, ga, usa

 
 
 

Restricting telnet access

Post by Martin Hess » Wed, 08 Aug 2001 10:10:13


Hello Matt, everybody,


|
| So, basically, I just need to know the best way to restrict telnet access.
| Whether it is with this script, or something else.

    even though restricting access to login services is probably a rather
sys-admin like issue there is a pretty elgant way to restrict/allow access
for a given group of users by programing a PAM service module.
(http://www.sun.com/solaris/pam/). There is a code sample there that can be
used for these purposes if you change it a little. You also need to adjust
the /etc/pam.conf and then would be able to specifiy the allowed/restricted
users, without having to change the shaddow file.

The only thing you need to do is make the pam_sm_authenticate function
compare the user that wants to login with a list of allowed/restricted users
(out that list anywhere, in a databse or a file or even in the
/etc/pam.conf ) using pam_get_user(pamh, &user, NULL) or pam_get_item or
similar. If you wish the session not to be opened, simply return
PAM_PERM_DENIED (I think).

You need of course to specify your own module as required for those services
(as telnet, ftp, ...) that you want to restrict/allow access to in the
/etc/pam.conf AFTER the standard authentication module that you use. If both
are required to login and your module fails, the session will not be opened
which is offering you the desired effect of resrticting access to any login
service (also telnet).

This is only a thought I had, so let me know if it is a practicable solution
for this problem.
Any feedback or thoughts on this are welcome.

Martin Hesse
Koblenz, Germany

PS: I saw that the Makefile that comes with the sample was written for the
solaris cc compiler. I use the gcc and the gnu-loader. You probably need to
fix some flags in the Makefile if you are using the gcc.

 
 
 

Restricting telnet access

Post by IIDC » Fri, 10 Aug 2001 20:41:41


Why not use netgroups for this purpose, of course you need to have NIS

> I need to be able to set up our servers to restrict telnet access from
> everyone but a few admins.  On our Solairs 2.6 boxes, we had a script called
> "restrict.user" that would tell anyone that is not in the list of good users
> that they cannot log in.  I can't figure out how the 2.6 box knows to use
> this file.  The person that made the script is long gone.

> So, basically, I just need to know the best way to restrict telnet access.
> Whether it is with this script, or something else.

> Thanks.

> - Matt