General :: Disable Telnet And Ssh For A Specific User?
Nov 12, 2010
I am looking for a way to deny telnet and ssh to one specific user. So far I've only tested with telnet and my attempts have been limited to various hosts.deny entries:
None of these work. The only thing I've found that does work is:in.telnetd : IP_addressBut this is only a semi-viable solution because we will soon have multiple logins for the one username from different servers and sub-nets. Ideally, I'd like to be able to deny telnet and ssh access to this username regardless of where the login originates. I suppose it would be possible to specify each server IP, but that'll be a bear to maintain
I am using Red Hat LDAP (version 3) and I have passwordLockout set as "on" at global level. Is there a way to disable account lockout for a specific user?
If I only want to let a user be able to login via telnet a max number of times equal to 2 how would I go about doing this?I have found this little tid bit:per_source = 2but that only allows 2 connections from the same source (i.e. network) and that would not work. For some reason our telnet sessions are not dying off after a user has shutdown their PC and then the next time they login it adds another telnet session.
How do I give permission to a logged in user to stop/start a specific service without entering a root/sudo password? So they can do a simple "service SomeService stop|start" It is for a headless Ubuntu server.
my system I want user1 and only user1 to be able to mount and unmount a specific partition, this partition contains backups and is usually mounted read only, needs to be temporarily mounted read/write by user1 while doing the backup.user1 is an unprivileged user. I've read that the user option will let any user mount the file-system (and only that user can then subsequently unmount it) and that the users option allows any user to mount or unmount the file-system.I also found this in mount's man pageQuote:The owner option is similar to the user option, with the restriction that the user must be the owner of the special file. This may be useful e.g. for /dev/fd if a login script makes the console user owner of this device. The group option is similar, with the restriction that the user must be member of the group of the special file.So it looks like I'd need a login script for that user to make the user owner of the device file (/dev/voiceserv/backup in this case)
I have a question about telnet.Is there any way to configure a telnet server without disable firewall.I am using redhat 5.2 and fedora 12.I have lack of knowledge about firewall.
I have a need to run a specific app as a specific user when the machine boots into init 3. I can not run this as root so I need to specify a user. Can someone tell me how to accomplish this?I usually have to log in and start this application by typing check -D which starts this app and daemonizes it. I want to be able to run that at boot with my normal user not root.I hope I explained this correctly.I have added it to rc.local but it runs as root.
i have created a file (by root user) called test.txt. Then i created a user bob. Now i want only bob to read/write/execute this file and no other user shall have any permission on it.
So right now VNC is starting a session using :1. When I connect to that session, the terminal is logged in as root. I'd like for the terminal to be logged in as a different user as some of my end users are going to be using this and don't require such privileges. I found that I can "su" to a different user and start a new VNC daemon on :2 and when I connect to that session, the terminal is logged in as that user. What I want to do is get that to run at boot-up.
I run the openssh daemon on port 22 and have the proftp running on port 21. I would like to block SSH for a specific user.I use proftpd.I would like to prevent the SSH access for this user and leave the FTP working for this user specific.Into /etc/passwd, I tried to change the /bin/bash to /bin/false, but this blocks both SSH and FTP access for this account.
Im trying to add users to my nfs server with a specific home directory that already exists. Can this be done? I've done some research on google and other forums but cant seem to find the answer.
I did some digging on the sudo command and I do know the config file is /etc/sudoers Read the manual for sudoers and found out that I must use visudo to edit the file I read some of the examples at the bottom of the file and tried entering my own account in following the example. one of the commands I was trying to allow my account to perform without root login is the mount command So I tried adding this in (kreid8 /bin/mount ALL) I then saved & exited the file and logged out of root and tried sudo mount -t vfat /dev/sdc1 /media. I got an error saying I had to be root in order to do that But when I use the visudo -l option it shows that I have that privellege. Did I edit the file incorrectly?
I have two machines between which I need to share a folder.On server1, I have the user 'appuser' that needs to access (read/write/delete) on this share.On server2, 'root' accesses this share and writes to it.I have the following in /etc/exports on server1:/home/app-share 999.999.99.99/28(rw,insecure,sync,no_root_squash)where the number is the IP address. How can I change this to allow 'appuser' access?
allow specific user permission to read/write my folder
I have a folder called /TAR/Sketch
I added a new user, named Snoopy, I want to grant this user the ability to add files & directories to this folder which is under the group Sketches and the owner is me.
How can I mount a device with specific user rights on start up? I still have some problems figuring it out. I would like to mount the divide with uid=1000 and gid=1000. My current entry to the /etc/fstab/ file looks like this:
Can advise if I want to have a alert message when a specific user is login to the system , what can I do ? that mean if a specific is login to system then send me a alert message ( by any way ) to inform me the user is login , what is the method ?
I'm trying to do something like thisi created a group called www and made this group the owner of the directory/var/www/htmlso i can read and write to it.of course I've add my self to this group, but it seems i can't read and write.the syntax i used was something like chown :www /var/www/html.didn't workonly when i used chown samurai:www /var/www/html i could finally could create new file.the reason i don't want to specify the user name is because I'm thinking of a scenario when i need to give permission to a large group of ppl and don't want to do it user by user.
I am using CentOS 5.5 and I created few users (useradd john etc.) and now I want to assign privileges to this user on some directories and files in those directories. For example I want to give read privileges to directory "/documents" and all of files under that directory.
Does any body knows how to disable the root login to the GUI , like i am running my redhat server on runlevel 5 and i dont need tht root to get login to the GUI , i ma talking about redhat 5.
Is there a non-root shell command that can tell me if a user's account is disabled or not? note that there is a fine distinction between LOCKING and DISABLED:
LOCKING is where you prepend ! or * or !! to the password field of the /etc/passwd file. On Linux systems that shadow the passwords, this marker flag may be placed in /etc/shadow instead of /etc/passwd. Password locking can be done (at a shell prompt) via password -l username (as root) to lock the account of username, and the use of the option -u will unlock it.
DISABLING an account is done by setting the expiration time of the user account to some point in the past. This can be done with chage -E 0 username, which sets the expiration date to 0 days after the Unix epoch. Setting it to -1 will disable the use of the expiration date.
The effect of locking to to prevent the login process from using a supplied password to hash correctly against the saved hash (by virtue of the fact that the pre-pended marker character(s) are not valid output character(s) for the hash, thus no possible input can ever be used to generate a hash that would match it). The effect of disabling is to prevent any process from using an account because the expiration date of the account has already passed.For my situation, the use of locking is not sufficient because a user might still be able to login, e.g. using ssh authentication tokens, and processes under that user can still spawn other processes. Thus, we have accounts that are enabled or disabled, not just locked. We already know how to disable and enable the account - it requires root access and the use of chage, as shown above.To repeat my question: is there a shell command which can be run without root privileges which can output the status of this account expiration info for a given user? this is intended for use on a Red Hat Enterprise 5.4 system.The output is being returned to a java process which can then parse the output as needed, or make use of the return code.
Can anyone shed some light in this? Using Fedora 14-64, new install, 185 Opteron x 2 gig ram, sata hard drives formatted Ext4.However, in my home directory I have a folder for all my digital photos of which I have more than 20,000, and in another folder I have images and clipart of which I have almost 8,000. That is a lot of read only access to a significant number of files in my home directory.
How can I tell Fedora to not update the LAST ACCESS TIME of those files (specifically images) that will never actually be changed other than just being read. I want to leave that feature enabled for the rest of my home directory. I am trying t; improve my disk performance in Nautilus because whenever I access the folders with my images the system literally slows to a crawl and sometimes even the mouse stops working for several minutes until Nautilus has finished having its heart attack.
11.04 64 bit I just picked up a new high-gain usb wireless adapter that I would like to use for a while in place of the built in wireless adapter in my desktop. It is detected and works just fine. My question is this: Is there any way I can disable just the built in adapter and leave the new one active (or visa versa?) I don't want to remove the built-in one as there will be occasions that I will want to use both.
When I run OpenVPN server - tap0 adapter, it breakes Teredo(Miredo) IPv6 address down. I dont need IPv6 on OpenVPN, so is there any way to disable IPv6 on tap0 completely?
Now that IPv6 is becoming more and more common, I found the need to disable IPv6 on some interfaces but have it enabled on other. I found that /proc/sys/net/ipv6/conf/*/disable_ipv6 does exactly that. I am now wondering if anybody knows, why are networking scripts so counterintuitive. /etc/sysconfig/network has an option:
NETWORKING_IPV6=yes
All this option does is disable some ipv6 services (dhcpv6...), it does not disable IPv6 in whole (as one would assume...that's why you had to disable it with module parameters). Searching for more IP6 related config option, one can find that /etc/sysconfig/network-scripts/ifcfg-* scripts can contain:
IPV6INIT=yes
Again, this option does not disable IPv6 protocol on the interface, it just skips running ifup-ipv6/ifdown-ipv6 scripts. I added a /sbin/ifup-pre-local. Now, this script runs before ethX entries are created (other scripts run when it's already too late) in /proc directory, so it modifies default values which are then used after those entries are created:
I am trying to find the difference between the above two services. Both are under xinetd and can someone please explain the difference between them (is one more secure than the other one?)
