Restricting telnet access for root (QNX 4.25)

Can’t figure out how to disable telnet login for root (QNX4.25) Help
please.

Thanks in advance and Best Regards,
S.

S.B. <sbmail@verizon.net> wrote:
SB > Can’t figure out how to disable telnet login for root (QNX4.25) Help
SB > please.

SB > Thanks in advance and Best Regards,
SB > S.

I would do something in root’s .profile.

Test that the terminal is a pty,
if so put out some kind of warning and log the user off.

Keep in mind that this will also disallow a root login on a pterm.
Also, keep in mind that you can not prevent someone from logging in
as a regular user and 'su’ing to root.

“Bill Caroselli” <qtps@earthlink.net> wrote in message
news:c5jb4s$pv9$1@inn.qnx.com

S.B. <> sbmail@verizon.net> > wrote:
SB > Can’t figure out how to disable telnet login for root (QNX4.25) Help
SB > please.

SB > Thanks in advance and Best Regards,
SB > S.

I would do something in root’s .profile.

Test that the terminal is a pty,
if so put out some kind of warning and log the user off.

Keep in mind that this will also disallow a root login on a pterm.
Also, keep in mind that you can not prevent someone from logging in
as a regular user and 'su’ing to root.

Put this into root’s .profile:

------------- telnet restriction -------------

typeset ppid

ppid=sin -p $$ fa|tail -1|cut -c50-56
if test “sin -p ${ppid}|grep -l telnet” = “-”
then
echo " - telnet connection refused"
exit 1
fi

unset ppid

----------------------------------------------

It’s not perfect but it works. Still it’s possible to login as root hitting
CTRL-C immediately after login ( trapping CTRL-C doesn’t help ).

Bill Caroselli wrote:

S.B. <> sbmail@verizon.net> > wrote:
SB > Can’t figure out how to disable telnet login for root (QNX4.25) Help
SB > please.

SB > Thanks in advance and Best Regards,
SB > S.

I would do something in root’s .profile.

Test that the terminal is a pty,
if so put out some kind of warning and log the user off.

Keep in mind that this will also disallow a root login on a pterm.
Also, keep in mind that you can not prevent someone from logging in
as a regular user and 'su’ing to root.

We call the following script in the /etc/profile that people access via
telnet. It logs who is connecting to the computer and does not allow
telnet root access. Like Bill mentioned above they can “su” after
logging in, but you can see who is doing that in the /usr/adm/sulog file.

  • Tony

#! /bin/sh

This script was developed to be used on nodes that people from

remote locations connect to via TCP/IP.

node=1
logfile=/tmp/tmp-tty.log
user_log=/var/log/inetd.users

start_time=date "+%m/%d/%y %H:%M%"

TTY=tty
echo “$TTY” > $logfile

Trim the tty output down to the first 12 characters

TTY2=cat $logfile | cut -c 1-12

if [ $TTY2 = “//${node}/dev/ttyp” ]
then
if [ $LOGNAME = “root” ]
then
echo “\n\n”
echo “You can no longer login as root.”
echo “”
echo -n “Press any key to continue…”
read answer
logout
else
echo “User $LOGNAME connected on $TTY at $start_time” >> $user_log
fi
fi

rm -f $logfile


… Like Bill mentioned above they can “su” after logging in,
but you can see who is doing that in the /usr/adm/sulog file…

Let me add my two-pence…

I implemented the “wheels” group, put there only few admins I trust.
Then I changed ownership of “su” to:
chown root:wheels su
and then:
chmod 4554 su

I’d like QNX v4 to implement group passwords too (so that newgrp would ask
one if he has the rights)

Tony

On Thu, 15 Apr 2004 17:01:39 -0500, Tony Williams <twillqnx@yahoo.com>
wrote:

We call the following script in the /etc/profile that people access via
telnet. It logs who is connecting to the computer and does not allow
telnet root access. Like Bill mentioned above they can “su” after
logging in, but you can see who is doing that in the /usr/adm/sulog file.


#! /bin/sh

This script was developed to be used on nodes that people from

remote locations connect to via TCP/IP.

node=1
logfile=/tmp/tmp-tty.log
user_log=/var/log/inetd.users

start_time=date "+%m/%d/%y %H:%M%"

TTY=tty
echo “$TTY” > $logfile

Trim the tty output down to the first 12 characters

TTY2=cat $logfile | cut -c 1-12

if [ $TTY2 = “//${node}/dev/ttyp” ]
then
if [ $LOGNAME = “root” ]
then
echo “\n\n”
echo “You can no longer login as root.”
echo “”
echo -n “Press any key to continue…”
read answer
logout
else
echo “User $LOGNAME connected on $TTY at $start_time” >> $user_log
fi
fi

rm -f $logfile


Tony, thank you for the nice starting point!
I modified your script so it does not fail if two or more users try
connecting simultaneously, less temporary files are used (none actually!),
logins are registered by /usr/bin/logger.

This script was developed to be used on nodes that people

from remote locations connect to via TCP/IP.

if [ $(tty | cut -f 5 -d/ | cut -c 1-3) = “tty” ]; then
if [ $LOGNAME = “root” ]; then
echo “\n\n”
echo “You can no longer login as root.”
echo “”
echo -n “Press any key to continue…”
read answer
logout
else
echo “User $LOGNAME connected on $(tty) at $(date)” | logger -t LOGIN
fi
fi

Tony.

Is there anyway to now which IP address the telnet session is coming from?

If I wanted to allow root to telnet from 1 IP address.

-Glenn


“Tony” <mts.spb.suxx@mail.ru> wrote in message
news:opsj8xhlloo93ri4@mobile…

On Thu, 15 Apr 2004 17:01:39 -0500, Tony Williams <> twillqnx@yahoo.com
wrote:
We call the following script in the /etc/profile that people access via
telnet. It logs who is connecting to the computer and does not allow
telnet root access. Like Bill mentioned above they can “su” after
logging in, but you can see who is doing that in the /usr/adm/sulog
file.


#! /bin/sh

This script was developed to be used on nodes that people from

remote locations connect to via TCP/IP.

node=1
logfile=/tmp/tmp-tty.log
user_log=/var/log/inetd.users

start_time=date "+%m/%d/%y %H:%M%"

TTY=tty
echo “$TTY” > $logfile

Trim the tty output down to the first 12 characters

TTY2=cat $logfile | cut -c 1-12

if [ $TTY2 = “//${node}/dev/ttyp” ]
then
if [ $LOGNAME = “root” ]
then
echo “\n\n”
echo “You can no longer login as root.”
echo “”
echo -n “Press any key to continue…”
read answer
logout
else
echo “User $LOGNAME connected on $TTY at $start_time”
$user_log
fi
fi

rm -f $logfile


Tony, thank you for the nice starting point!
I modified your script so it does not fail if two or more users try
connecting simultaneously, less temporary files are used (none actually!),
logins are registered by /usr/bin/logger.

This script was developed to be used on nodes that people

from remote locations connect to via TCP/IP.

if [ $(tty | cut -f 5 -d/ | cut -c 1-3) = “tty” ]; then
if [ $LOGNAME = “root” ]; then
echo “\n\n”
echo “You can no longer login as root.”
echo “”
echo -n “Press any key to continue…”
read answer
logout
else
echo “User $LOGNAME connected on $(tty) at $(date)” | logger -t
LOGIN
fi
fi

Tony.

On Tue, 11 Jan 2005 17:55:34 -0500, Glenn Sherman <nobody@nowhere.com>
wrote:

Is there anyway to now which IP address the telnet session is coming
from?
If I wanted to allow root to telnet from 1 IP address.
Certainly this is possible, but I would not do it in /etc/profile. You

should use libwrap for that. It has all the means to restrict connectivity
for any service you like, not just telnet.

Tony.

Tony <mts.spb.suxx@mail.ru> wrote:

On Tue, 11 Jan 2005 17:55:34 -0500, Glenn Sherman <> nobody@nowhere.com
wrote:
Is there anyway to now which IP address the telnet session is coming
from?
If I wanted to allow root to telnet from 1 IP address.
Certainly this is possible, but I would not do it in /etc/profile. You
should use libwrap for that. It has all the means to restrict connectivity
for any service you like, not just telnet.

you mean tcp wrapper.

On 12 Jan 2005 01:19:52 GMT, Frank Liu <fliu@usdjmp1.eng.vodafone-us.com>
wrote:

you mean tcp wrapper.
Oh, yes!

Tony.