[svlug] restricted access

Ray Olszewski ray at comarre.com
Tue Aug 11 17:57:27 PDT 1998

Previous message: [svlug] straycats anybody?
Next message: [svlug] restricted access
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A couple of additional thoughts on the question Arthur Thomas poased this
morning:

On Tue, 11 Aug 1998, Arthur Thomas wrote:
> I am trying to restrict access for a certain user on my server. 
> I want the user to be able to ftp in but not ssh/telnet. I can not
> restrict all telnet/ssh access however.

Dan Bethe suggested:
>	Friend, you're in luck because that's just waht /etc/hosts.deny
>and /etc/hosts.allow are for!  The typical way to think about it is to
[rest deleted]

I think Dan is mistaken. According to the man page on my Linux box (man
hosts_access, BTW; I have no man pages for hosts.allow and hosts.deny
(Slackware 3.4)) hosts.deny will block connections from hosts or networks,
but not from specific users (accounts) on the server. This makes sense,
since these files instruct programs like tcpd, which look at the telnet, not
the subsequent login but are not checked (to the best of my knowledge) by
the login process itself.

I suggested a custom program and Arthur responded:
>I have heard that this creates a possible security risk. Running an 
>application or script allows the possiblity for someone to ctrl-c or 
>something like that and have access.

If memory serves, this is a problem if you use a shell script, but not if
you use a compiled program (there is no underlying shell to ^C to in this
case). I don't recall how a perl program would respond. When I regain access
to the server I did this on (it's offline at the moment due to a network
move), I'll see if I can be more specific about what I did.

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
762 Garland Drive
Palo Alto, CA  94303-3603
650.321.3561 voice                               ray at comarre.com
650.322.1209 fax                 http://www.comarre.com/ray.html
----------------------------------------------------------------

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe

Previous message: [svlug] straycats anybody?
Next message: [svlug] restricted access
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list