telnet vs. su command - restrictions

telnet vs. su command - restrictions

Post by Magdalena.Hew.. » Fri, 28 May 1999 04:00:00



Hi,
Is there any way to change the setup that the user can log on to
different account using su - userID command, but when using telnet
session cannot use this particular userID (eg. prod_user) to log on for
the security reason.

eg.
su - prod_user
passwd:  .....
----should give you the permission to log on as prod_user
eg.
telnet xxx.xxx.xx.xx
user: prod_user
passwd:  ......
-----should not give the permission to log on as prod_user

We do use SecurID login cards and that is why we need to created these
restrictions.

Any hints?
Regards,
...Magda

--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---

 
 
 

telnet vs. su command - restrictions

Post by Larry Garret » Sat, 29 May 1999 04:00:00


On AIX the problem is easy.  Change the prod_user entry in
/etc/security/user to have the line rlogin = false.  If the system is SUN
Solaris the only way I know if is to change the prod_user profile to test
for direct logins exit but allow su - prod_user.

> Hi,
> Is there any way to change the setup that the user can log on to
> different account using su - userID command, but when using telnet
> session cannot use this particular userID (eg. prod_user) to log on for
> the security reason.

> eg.
> su - prod_user
> passwd:  .....
> ----should give you the permission to log on as prod_user
> eg.
> telnet xxx.xxx.xx.xx
> user: prod_user
> passwd:  ......
> -----should not give the permission to log on as prod_user

> We do use SecurID login cards and that is why we need to created these
> restrictions.

> Any hints?
> Regards,
> ...Magda

> --== Sent via Deja.com http://www.deja.com/ ==--
> ---Share what you know. Learn what you don't.---


 
 
 

telnet vs. su command - restrictions

Post by hymi » Tue, 01 Jun 1999 04:00:00


In our last episode, the evil Dr. Lacto had captured our hero,

Quote:>Is there any way to change the setup that the user can log on to
>different account using su - userID command, but when using telnet
>session cannot use this particular userID (eg. prod_user) to log on for
>the security reason.

I seem to recall (I don't have my books handy) that there exists a program
called "lsu" .  This program uses what can best be described as a
"reverse-passwd" file.  You have a user, e.g. admin, whose password field in
/etc/passwd is * (not login-able).

Then, in admin's home directory is a config file which contains a list of
* people who are allowed to su to this user
* for each user, an individual encrypted password

lsu would be used in place of su, and would use this config file for
the password instead of /etc/passwd

I'm trying to search Yahoo for lsu, but I can't get it to honor the
"search just this category" flag, and it only finds Louisiana State Univ.


===============================================================================
I'm getting to the point where I don't feel the pain, and I've had enough.
I'm ready for the next time it hits me again 'cause I've gotten tough.
                                                                   --Billy Joel
===============================================================================

 
 
 

telnet vs. su command - restrictions

Post by Anthony W. Youngma » Wed, 02 Jun 1999 04:00:00



writes
Quote:>Hi,
>Is there any way to change the setup that the user can log on to
>different account using su - userID command, but when using telnet
>session cannot use this particular userID (eg. prod_user) to log on for
>the security reason.

I think that by default, su does not run the new user's shell. Just set
the shell to eg /dev/null and any attempt to log in to that id via
telnet or rlogin etc will burn. Any su that does not use the new shell
should work fine.
--
Anthony W. Youngman - wol at thewolery dot demon dot co dot uk
Trousers with a single hole in their waistband are topologically equivalent
to a doughnut. These sugarcoated trousers have yet to catch on at fast-food
outlets! (SuperStrings by F. David Peat)

If replying by e-mail please mail wol. Anything else may get missed amongst
the spam.

 
 
 

1. telnet vs. su command - restrictions

Hi,
Is there any way to change the setup that the user can log on to
different account using su - userID command, but when using telnet
session cannot use this particular userID (eg. prod_user) to log on for
the security reason.

eg.
su - prod_user
passwd:  .....
----should give you the permission to log on as prod_user
eg.
telnet xxx.xxx.xx.xx
user: prod_user
passwd:  ......
-----should not give the permission to log on as prod_user

We do use SecurID login cards and that is why we need to created these
restrictions.

Any hints?
Regards,
...Magda

--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---

2. Problems running PPP as non-root user

3. iptables DSCP & RTP

4. Root login restrictions, without complete su restriction?

5. Windows NT 4.0 / Solaris x86 Dual Boot

6. telnet 0 vs telnet `hostname` vs telnet 127.0.0.1

7. XFree86 and ATI 3D Expression...

8. SU vs. SUDO command

9. su vs. su -

10. 'su ' vs. 'su -'

11. su restrictions

12. restrictions on "su"