hutch@ssmct62.ssc.af.mil (Capt E. Lee Hutchins) (06/04/91)
We have a 3B2 running Wollongon TCP/IP. We need to limit telnet access for some users, but NOT through disabling their accounts. I know that there is a ftp.users file for tfp. Is there something like that for telnet?? thanx lee -- ============================================================================== Capt E. Lee Hutchins USPost Office: HQ SSC/SSMCT || Voice: AV 596-4555/4171 Gunter AFB, AL 36114 || COM: (205) 279-4555/4171 || email: hutch@ssmct62.ssc.af.mil || FAX: AV: 596-3262 || COM: (205) 279-3262 The views related here do not in any way represent the USAF or USGOV or GUNTER AFB, SSMCT or anyone else for that matter! Go AIR FORCE BEAT Army, Navy or whoever else the FALCONS are playing this week! UNIX and X-Windows: the ONLY solution for REAL men ==============================================================================
jscott@isis.cs.du.edu (James Scott) (06/05/91)
In article <27103@adm.brl.mil> you write:
=> We have a 3B2 running Wollongon TCP/IP. We need to limit telnet access
=> for some users, but NOT through disabling their accounts.
I thought we were the only one with problems with that setup
(I thought we were the only ones that still _Had_ that setup)
Anyway, this is our solution:
1.) Make a group called 'telnet'.
2.) chgrp telnet /usr/bin/telnet .
3.) chmod o=,gu=rx /usr/bin/telnet .
4.) Edit your /etc/group file, adding the login names of users who
can use telnet into the last field seperated by commas.
5.) For someone to use telnet, they must first type the command
$ newgrp telnet
and _then_
$ telnet
NOTE: the newgrp command CAN NOT be used in a shell script.
k
This worked quite well for us until our kernel bit the dust... Ever
tried to mix UNIX versions on a 3B2? Anyway, I asked this same question
over the net a couple months ago, and the answers I received follow.
_PLEASE_ let me know how you solve your problem...
==========================================================================
James Scott /* jscott@gwhs.colorado.edu */
George Washington H.S., Denver jscott@isis.cs.du.edu
gwhs@teal.csn.org
==========================================================================zfgo01@hgo7.hou.amoco.com (F. G. Oakes) (06/06/91)
hutch@ssmct62.ssc.af.mil (Capt E. Lee Hutchins) writes: >We have a 3B2 running Wollongon TCP/IP. We need to limit telnet access >for some users, but NOT through disabling their accounts. > I know that there is a ftp.users file for tfp. Is there something >like that for telnet?? Two ways come to mind: 1) change the permissions on the TELNET executable so that it is restricted to group(s) <three of them if you include 'other'>; and 2) 'front-end' it (TELNET) with an executable that checks whatever you want to before executing it, if your front-end determines it is OK. -- ============================================================================ zfgo01@hgo7.hou.amoco.com (Glen Oakes)
woodcock@mentor.cc.purdue.edu (Bruce Sterling Woodcock) (06/06/91)
In article <1991Jun4.230509.3655@mnemosyne.cs.du.edu> jscott@isis.UUCP (James Scott) writes: >Anyway, this is our solution: >1.) Make a group called 'telnet'. >2.) chgrp telnet /usr/bin/telnet . >3.) chmod o=,gu=rx /usr/bin/telnet . >4.) Edit your /etc/group file, adding the login names of users who > can use telnet into the last field seperated by commas. >5.) For someone to use telnet, they must first type the command > > $ newgrp telnet >and _then_ > $ telnet > >NOTE: the newgrp command CAN NOT be used in a shell script. >k I don't think this solves the problem. Anyone with a little knowledge of programming... hell, even with a little knowledge of ftp... can use their own copy of telnet or some other client to interface to the net. Sure, it may slow down some people at first, but once word gets out that so-and-so has their own telnet program, you'll be right back to the same situation. My advice: If you want to restrict TCP/IP, remove your machine from the network. Restricting net access to the users is not a very sensible thing, usually, or a nice one. If you *do* want to restrict it, do some kernel hacking. I know of several universities that have restricted the network system calls in this way. Bruce -- | woodcock@mentor.cc.purdue.edu | "That's Bruce for ya, always jumping | | sirbruce@gnu.ai.mit.edu | on the bandwagon, even if it's | | sterling@maxwell.physics.purdue.edu | running over him." -- Xeno | | Bruce@Asylum/CaveMUCK/FurryMUCK | "I view muds as dying." -- Firefoot |
rsalz@bbn.com (Rich Salz) (06/07/91)
What is to stop somebody from entering the code to BSD telnet and running it on their machine? Telnet client needs no root privileges. "Can't be done" is the only real answer to this question. /r$ -- Please send comp.sources.unix-related mail to rsalz@uunet.uu.net. Use a domain-based address or give alternate paths, or you may lose out.
subbarao@phoenix.Princeton.EDU (Kartik Subbarao) (06/10/91)
In article <1991Jun4.230509.3655@mnemosyne.cs.du.edu> jscott@isis.UUCP (James Scott) writes: > >Anyway, this is our solution: >1.) Make a group called 'telnet'. >2.) chgrp telnet /usr/bin/telnet . >3.) chmod o=,gu=rx /usr/bin/telnet . >4.) Edit your /etc/group file, adding the login names of users who > can use telnet into the last field seperated by commas. >5.) For someone to use telnet, they must first type the command Oh please. Didn't you ever think that people could *ftp* the telnet source, then compile it and run telnet themselves? -Kartik -- internet# adb -w -k /vmunix /dev/kmem < /dev/zero subbarao@phoenix.Princeton.EDU -| Internet kartik@silvertone.Princeton.EDU (NeXT mail) SUBBARAO@PUCC.BITNET - Bitnet
EMTEXLEY@MTUS5.BITNET (06/14/91)
Limiting Access and You.... You can directly modify user states by changing their personal settings... Wizardy enough, no? The CUbe