• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1576
  • Last Modified:

aix telnet access to limited user

Can telnet access be granted to certain users on a server and not to others?
How can i check which users on a server have telnet access?
Also, how can i check last login date of a user.
  • 2
3 Solutions
1) You can forbid all remote access for all users except the few privileged by issuing

chuser rlogin=false username

against all users whose acces should be disallowed.

2) Check with

lsuser -a rlogin ALL | grep true

3) Issue

last username

assistunixAuthor Commented:
I don't want to restrict remote access, just wondering if i can restrict method of remote access, e.g ssh or telnet.

Can i have userA being only able to login via ssh and userB only being able to login via telnet, and userC with ssh and telnet?

Also, Is there a way for me to track whether userC last logged in via ssh or telnet?
There is no standard method in AIX to achieve what you desire in regard to telnet. Restrictions are possible on a per-host basis using ipsec, but not per user.

The following is a bit uncommon, but feasible, in a way:

You could write your own custom authentication method.

Then you would have to make this method (can be a script) known to the system by creating an entry in /etc/security/login.cfg and then add it to  /etc/security/user as the "auth1" attribute, in addition to "SYSTEM", for either each individual user or as "default", depending on how you'd like to desingn your new method.

The script would have to test which way the user came in. This could be done via "proctree", for example.

- If you decide to make this method the default you would have to create a user list containing usernames and allowed login methods, against which the user who's just logging in must be checked.

- Should you prefer the individual method you must add an "auth1" attribute to each user's entry in /etc/security/user containing your new method and a parameter to be passed to it, e.g. "notelnet". The script/program would have to check the determined login method against this parameter, to either allow (exit 0) or deny (exit 1) the login.

Restricting access via ssh, on the other hand, can be done just straightforwardly by using the "AllowUsers/DenyUsers" directives in sshd_config. The above "auth1" method does not work here because ssh uses its own authentication procedures.

A standard  to track the way the user logged in doesn't really exist, except for ssh which can write to syslog if desired or FTP which updates wtmp by default.

Of course, once you created a custom method you could write your own log ...

Yes, since AIX 5.2,  you can restrict by protocol on a per user a/o group basis, using PAM.
We do it.

We have hundreds of AIX boxes, with LDAP managed users.  Not all users are permited on all boxes.  Using the below method permits us to limit some users to subsets of of boxes via group management, we don't have to say userX has access (although we could), we say group Y has access, then the security admin team just adds the user to group Y.

It requires changing your security setup to use PAM, but, IMHO, that's a good thing. (if you're not already doing it)

This permits us to have users defined within an LDAP database, and not within /etc/passwd (so when they change their windows passwword, Active Directory  sync's the password to LDAP, and now their "AIX" password follows their windows passwords, on ALL of the systems they have access to. And service accounts defined within /etc/passwd.    But I digress.

If you're not running PAM, there's some config work that I won't chew up this thread with,  it's not hard, just needs to be done, obviously.

Once complete, add these lines where appropriate within /etc/pam.conf

ftp auth requisite /usr/lib/security/pam_permission file=/etc/pam.groups.FTP found=allow
sshd auth requisite /usr/lib/security/pam_permission file=/etc/pam.groups.SSH found=allow

the two files /etc/pam.groups.FTP and /etc/pam.groups/SSH are your text files listing users and groups with access.  The found=allow states that if found, they're allowed, if not found, they're not allowed.  There's a reverse option but I don't recall what it is.
We use +/- prefixes within the text files.  +user or +@group says they have access, then obvoiusly, non-existance, -user or -@group says they can't.
It's read top down, first match wins.  -ALL at the bottom is catch-all.  While not required due to "found=allow" option used in pam.conf, we put it in anyway.

Here's a subset of ours:
for FTP:

for ssh:
+root     (for DMZ systems, we code -root, and force root to login via the console)

The group names don't start with @, that's just the syntax so PAM knows you're talking about a group.

One last note on configuring PAM and LDAP.  (LDAP is not required, it's just a big side benefit IMHO)
Also there were big integration changes between AIX and Acitive Directory with AIX.5.3  As for anything, If you are googling information, check the publication dates, we went through a lot of heartburn between us and our AD team, thinking there'd need to be AD schema changes.. in OUR configuration, we did not, YMMV.  It's been several years, I'd hope you're on recent enough releases that you wouldn't have problems either, but, that just really means you need to check the release that the docs you find are appropriate for your release.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now