Disable telnet for a particular user

boshyd · June 1, 2010, 3:22pm

On Solaris 8 is there anyway to disable telnet for a particular user and not for entire system altogether?

I would like the user to retain a shell and so creating a noshell like ftp account is not an option.

amitranjansahu · June 2, 2010, 12:12am

Make the default shell be /usr/bin/false. The /etc/passwd entry would look something like

user2:x:1234:4321:no telnet:/home/user2:/usr/bin/false

Also you can add the users entry in /etc/hosts.deny file to block the user.

boshyd · June 2, 2010, 8:26am

Like I said, the user needs to retain a shell. Setting it to "false" doesnt serve my purpose.

I am curious what hosts.deny is, can you send me code for that file to disable a user?

pseudocoder · June 2, 2010, 8:38am

Check this: Sun: Solaris - hosts.deny and hosts.allow and/or man hosts.deny

boshyd · June 2, 2010, 8:45am

I will investigate hosts.deny but it looks like it controls settings for hosts/IPs connecting to the server and not user accounts already on the system.

pseudocoder · June 2, 2010, 9:25am

Aaa yeah, you're right mate, sorry, I've missed that...

---------- Post updated at 15:25 ---------- Previous update was at 15:00 ----------

This is one way you could do it, though I'm sure it's not the best:
Run script which will monitor established connections from specific user;
if a telnet connection from that user is found, kill that process id.

On FreeBSD I can find the appropriate pid using following command:

$ sockstat | grep ^user-to-find | grep telnet
user-to-find  telnet     2107  3  tcp4   sourceip:sport    targetip:23
$ kill 2107

     sockstat -- list open sockets

Now you just need to find a proper sockstat alternative command for Solaris.

ygemici · June 2, 2010, 9:43am

try in hosts.deny

in.telnetd : forbiddenuser@hostIP

boshyd · June 2, 2010, 11:17am

This is interesting but this useraccount can come from multiple IPs. Can I user forbiddenuser@ALL instead so as to capture all host IPs?

in.telnetd : forbiddenuser@hostIP

*** I actually tried
in.telnetd : forbiddenuser@myhost but it still accepts telnet sessions with forbiddenuser....

pseudocoder · June 2, 2010, 1:54pm

Probably you also need to restart the inetd after the changes?
Before doing that, try

kill -HUP pid-of-inetd

This should reread the appropriate configuration files.

boshyd · June 2, 2010, 3:26pm

I tried kill -HUP and also reset the inetd...but doesnt help, I dont think this is the problem though.

I am still able to telnet from my host to server so hosts.deny is not working as expected.

bash-3.1# cat /etc/hosts.deny
in.telnetd : forbiddenuser@myhostname

ygemici · June 3, 2010, 5:33am

is tcp_wrapper enable for (telnet) your system?

$ inetadm -l telnet | grep tcp_wrappers

output says enable or true ?

boshyd · June 3, 2010, 8:17am

# inetadm -l telnet | grep tcp_wrappers
inetadm: not found

ygemici · June 3, 2010, 8:58am

maybe your system older from solaris 10

then we let lookup for inetd prop
allright try this

 
svcprop -p defaults inetd

boshyd · June 3, 2010, 9:17am

Its Solaris 8 as I mentioned in the first post.

# svcprop -p defaults inetd
svcprop: not found

Thanks to everyone helping me out.

ygemici · June 3, 2010, 10:28am

Hmm ok

Then now for use tcp_wrapper in other version solaris like 7-8-9 and olders..

You must change the inetd (telnet) sdaemon conf because of tcp_wrapper enable so compatible
first you install tcpd and give the control its in inetd.conf..

I advice you must do it to sun document in below

BigAdmin Submitted Tech Tip: Configuring TCP Wrappers for the Solaris Operating System

Good luck
Desire succesfull

Regards ygemici