aix telnet access to limited user

Posted on 2012-09-12
Last Modified: 2012-09-16
Can telnet access be granted to certain users on a server and not to others?
How can i check which users on a server have telnet access?
Also, how can i check last login date of a user.
Question by:assistunix
    LVL 68

    Assisted Solution

    1) You can forbid all remote access for all users except the few privileged by issuing

    chuser rlogin=false username

    against all users whose acces should be disallowed.

    2) Check with

    lsuser -a rlogin ALL | grep true

    3) Issue

    last username


    Author Comment

    I don't want to restrict remote access, just wondering if i can restrict method of remote access, e.g ssh or telnet.

    Can i have userA being only able to login via ssh and userB only being able to login via telnet, and userC with ssh and telnet?

    Also, Is there a way for me to track whether userC last logged in via ssh or telnet?
    LVL 68

    Accepted Solution

    There is no standard method in AIX to achieve what you desire in regard to telnet. Restrictions are possible on a per-host basis using ipsec, but not per user.

    The following is a bit uncommon, but feasible, in a way:

    You could write your own custom authentication method.

    Then you would have to make this method (can be a script) known to the system by creating an entry in /etc/security/login.cfg and then add it to  /etc/security/user as the "auth1" attribute, in addition to "SYSTEM", for either each individual user or as "default", depending on how you'd like to desingn your new method.

    The script would have to test which way the user came in. This could be done via "proctree", for example.

    - If you decide to make this method the default you would have to create a user list containing usernames and allowed login methods, against which the user who's just logging in must be checked.

    - Should you prefer the individual method you must add an "auth1" attribute to each user's entry in /etc/security/user containing your new method and a parameter to be passed to it, e.g. "notelnet". The script/program would have to check the determined login method against this parameter, to either allow (exit 0) or deny (exit 1) the login.

    Restricting access via ssh, on the other hand, can be done just straightforwardly by using the "AllowUsers/DenyUsers" directives in sshd_config. The above "auth1" method does not work here because ssh uses its own authentication procedures.

    A standard  to track the way the user logged in doesn't really exist, except for ssh which can write to syslog if desired or FTP which updates wtmp by default.

    Of course, once you created a custom method you could write your own log ...

    LVL 6

    Assisted Solution

    Yes, since AIX 5.2,  you can restrict by protocol on a per user a/o group basis, using PAM.
    We do it.

    We have hundreds of AIX boxes, with LDAP managed users.  Not all users are permited on all boxes.  Using the below method permits us to limit some users to subsets of of boxes via group management, we don't have to say userX has access (although we could), we say group Y has access, then the security admin team just adds the user to group Y.

    It requires changing your security setup to use PAM, but, IMHO, that's a good thing. (if you're not already doing it)

    This permits us to have users defined within an LDAP database, and not within /etc/passwd (so when they change their windows passwword, Active Directory  sync's the password to LDAP, and now their "AIX" password follows their windows passwords, on ALL of the systems they have access to. And service accounts defined within /etc/passwd.    But I digress.

    If you're not running PAM, there's some config work that I won't chew up this thread with,  it's not hard, just needs to be done, obviously.

    Once complete, add these lines where appropriate within /etc/pam.conf

    ftp auth requisite /usr/lib/security/pam_permission file=/etc/pam.groups.FTP found=allow
    sshd auth requisite /usr/lib/security/pam_permission file=/etc/pam.groups.SSH found=allow

    the two files /etc/pam.groups.FTP and /etc/pam.groups/SSH are your text files listing users and groups with access.  The found=allow states that if found, they're allowed, if not found, they're not allowed.  There's a reverse option but I don't recall what it is.
    We use +/- prefixes within the text files.  +user or +@group says they have access, then obvoiusly, non-existance, -user or -@group says they can't.
    It's read top down, first match wins.  -ALL at the bottom is catch-all.  While not required due to "found=allow" option used in pam.conf, we put it in anyway.

    Here's a subset of ours:
    for FTP:

    for ssh:
    +root     (for DMZ systems, we code -root, and force root to login via the console)

    The group names don't start with @, that's just the syntax so PAM knows you're talking about a group.

    One last note on configuring PAM and LDAP.  (LDAP is not required, it's just a big side benefit IMHO)
    Also there were big integration changes between AIX and Acitive Directory with AIX.5.3  As for anything, If you are googling information, check the publication dates, we went through a lot of heartburn between us and our AD team, thinking there'd need to be AD schema changes.. in OUR configuration, we did not, YMMV.  It's been several years, I'd hope you're on recent enough releases that you wouldn't have problems either, but, that just really means you need to check the release that the docs you find are appropriate for your release.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
    Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now