Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

restrict user rlogin while allowing 'telnet localhost'? 2

Status
Not open for further replies.
ksas025

ksas025

Technical User
Jun 3, 2004
92
US
Is it possible to deny rlogins in /etc/security/user while still allowing telnet localhost?

If not maybe a more general questions is in order. In my environment I have a system which requires the use of generic user accounts. In an effort to improve autditing we are trying to force remote users to login with an assigned username and su to a generic account. Is the only way to do this via rlogin setting in the user file? Ideally I would like to keep remote logins from other secure servers for generic accounts but I cant find a way to limit logons by host; the only option is on/off.

Thanks for any help.
 
Sort by date Sort by votes
Ill give that a try. Thanks.

I am familiar with tcpwrappers on linux. I guess I never though about it for AIX.

 
Upvote 0 Downvote
Try using sudo to do the account switching, and just disable remote logins for the account, or otherwise set the password to something insane.
 
Upvote 0 Downvote
I had a similar requirement a few jobs back. This is how we handled it:

1.) a generic group called GENERIC was created.
2.) This group was granted to all of the generic accounts.
3.) We added the following to /etc/profile:

Code: 
Generic_user ()
{
echo ""
echo ""
echo ""
echo "                This is a secured account!"
echo ""
echo "" 
echo "" 
echo "        You need to either su or su - to this account."
echo ""
echo ""
sleep 5
}

username=`whoami | awk '{print $1}'`
rname=`who am i | awk '{print $1}'`
if [ $rname = $username ]
then
   groups $username | grep GENERIC > /dev/null  && Generic_user && kill -9 $$
fi

What this would do is:
a. whoami
b. who am i
c. compare the results - if equal, check to see if the account has the GENERIC group assigned
d. if the GENERIC group is found, display a message and then log the account out after a short delay.
e. if not found, allow the login to proceed.

Add a little color to your PUTTY terminal: faq52-6627
 
Upvote 0 Downvote
sbrews, thats a great idea! I think that might be a little better (customer service wise) than the tcpwrappers albiet less secure. I will need to think about this one a little bit.

THanks to all and stars for sbrews and Rod!

Alex
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AnjuSingh
  • Locked
  • Question
Hello, I have a generic user whi
Replies
3
Views
113
iggsterman
iggsterman
sivakavi
  • Locked
  • Question
unable to delete user or create user
Replies
1
Views
127
sivakavi
sivakavi
leemalloy
  • Locked
  • Question
Deny rsh,tn,or rlogin
Replies
1
Views
65
AIXLogician
AIXLogician
BobMCT
  • Locked
  • Question
Simple "telnet" access question?
Replies
1
Views
80
BobMCT
BobMCT
generaal
  • Locked
  • Question
Copying a user profile
Replies
6
Views
145
generaal
generaal

Part and Inventory Search

Sponsor

Back
Top