Wednesday, May 6, 2009

Restricting Remote Logins to listed users

To restrict remote logins to specific users, do the following:

1. Create a file called /etc/remusers with the names of the users, that are allowed to perform remote logins. It can look like:


2. Modify the /etc/profile and /etc/csh.login files by adding the code listed below.

Putting the following code in /etc/profile and /etc/csh.login will keep users not listed in the file /etc/remusers from being able to login from remote location or telnet session. Be sure carriage returns are not included in the script files when you add the below code to them or the scripts will not run correctly, giving strange errors. Carriage returns are many times accidently embedded when code is copied from Windows or DOS based machines to Linux based machines.

  1. trap "" 2 3
  2. if { $LOGNAME != "root" ]
  3. then
  4. if [ $TERM != "linux" ]
  5. then
  6. if [ -z `cat /etc/remusers |grep $LOGNAME` ]
  7. then
  8. echo " *************************************************** "
  9. echo " * * "
  10. echo " * Remote logins are not allowed on this system * "
  11. echo " * Please use a terminal or see the administrator. * "
  12. echo " * Press RETURN to exit. * "
  13. echo " * * "
  14. echo " *************************************************** "
  15. echo
  16. read
  17. exit
  18. fi
  19. fi
  20. fi
  21. trap 2 3

Line 1 traps SIGINT and SIGQUIT, so users cannot abort the script. Line 2 is a safety, in case you change the /etc/profile before you create the /etc/remusers file. Line 4 only runs the script if the terminal is not local. The "linux" terminal type is used locally. You may need to change this to:

if [ $TERM == "vt100" ]

if you are using serial terminals also. As an alternate, add another if statement that excludes the serial terminal type inside the first if statement to exclude both serial terminals and local terminals. You can determine what terminal type is being used by looking at the value of the TERM variable with the env command after logging in from the terminal in question. Also there are various types of terminals that telnet clients may emulate, so, you will want to be sure not to allow any terminals that a telnet client can emulate.

Line 6 determines if the user who just logged in, $LOGNAME, is listed in the /etc/remusers file. Line 16 reads a line from the user, requiring them to press an end of line key such as RETURN. Line 17 causes the shell to exit.

No comments:

Post a Comment