Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Can I restrict IP and AIX account at the same time?
Operating Systems AIX Can I restrict IP and AIX account at the same time? Post 302972834 by vbe on Wednesday 11th of May 2016 06:49:25 AM
Old 05-11-2016
I used to do this sort of thing on a aix 4.2 ... So long time ago... Using Madeingermany's solution, not sure now that I used that format in hosts.allow.. It may have been only the IP, I rememberes also using mac addresses to filter...
The trick after ( as say using IP or Mac) was in .profile to check if that user was the one expected ( IP or MAC ) andmaking root own the .profile etc.. I was easy here as these users entered in a menu to access the application and never have the chance to get to a terminal prompt...
You could try to add a condition as you expect different users using same IP...

Thoses were the days without ssh...

So currently I would favor zaxxon's solution

my 2 cents
All the best
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

How to restrict account to one log-in?

Our users have the tendency to use only one login account, to do their jobs. Obvious itīs a matter of training our users. But our internal audit team insists on restrictions from our system. So is there an option to restrict an account to only login once into the system? We use HP-UX 11.0. ... (0 Replies)
Discussion started by: Egroman
0 Replies

2. UNIX for Advanced & Expert Users

how to find creation time of an account?

Hi all, I want to know the time when a perticular user is created, atleat in which year it is created. Could any one help me in this issue. Thanks in advance. Regards, M.Sukumar (1 Reply)
Discussion started by: sukumar
1 Replies

3. AIX

AIX shell account

I am just wondering if there is a way I can obtain a free shell account for an AIX server that I can make test drive on it. I tried google search and ibm's web site but couldn't find anything.. regards, (2 Replies)
Discussion started by: milhan
2 Replies

4. AIX

How to restrict Highports in AIX 5.2

Hello, I am using wu-ftp 2.4.2 in AIX 5.2. I wanted to restrict high ports for dataconnection. by default dataconnection ports will be from range 1024 to 65536. But i wanted to restrict it to some range like 10000 - 10500. This setting is to enable ports at client firewall. Please let me... (0 Replies)
Discussion started by: balareddy
0 Replies

5. Shell Programming and Scripting

How to restrict running one instance of scp at any time in fsniper

How to restrict running one instance of scp at any time? (2 Replies)
Discussion started by: proactiveaditya
2 Replies

6. Solaris

How to Restrict user login after certain time in Solaris??

My OS is Solaris 10, I would like to know if there is any way to restrict user login to the system (either remote or console login) after certain time, say 20:00 on Mon to Fri and whole day on SAT and SUN??? Sorry that I am a new user on Unix System. Any comment is fully appreciated!!! Alex (7 Replies)
Discussion started by: alessandro31
7 Replies

7. AIX

AIX: Could not login using NIS Account?

Hi there, I am new to AIX environment, when I set up NIS Client for an AIX 5.3 Machine to connect to a Linux NIS Master, everything seems to be okie: /etc/passwd: +::0:0::: /etc/group: +: ps -ef | egrep "ypbind": /usr/lib/netsvc/yp/ypbind -ypsetme -ypsetme I can get all account... (0 Replies)
Discussion started by: quanba
0 Replies

8. UNIX for Advanced & Expert Users

IBM directory server - how to restrict AIX client access to read-only

Hello all, I am using IBM Directory Server (as a part of AIX7 extension pack) in an AIX environment. To set up the server I use command: mksecldap -s -a cn=admin -p PWD -S RFC2307AIX -d o=COMPANY -u NONE Then, to set up IDS clients I use the following (I have 2 mutually replicating servers... (0 Replies)
Discussion started by: Myaso
0 Replies

9. UNIX for Beginners Questions & Answers

How to restrict ftpusers in AIX to home directory?

I need to know how to restrict the ftpusers within their home directory in AIX 7.1 For example for ftpuser nonoftp I have tried putting this entry to /etc/ftpaccess.ctl and refreshed inetd but the directory listing unsuccessful error comes with the entry. Without the ftpaccess.ctl file ftp users... (2 Replies)
Discussion started by: pregmi
2 Replies

10. UNIX for Advanced & Expert Users

Restrict service account from direct interactive sessions

Environment: CentOS 7 I would like to have a solution where a service account can access a server in only these ways: ssh non-interactively via password or ssh key; that is, run commands or scripts (but running anything in /etc/shells will not be allowed) not ssh interactively regular... (2 Replies)
Discussion started by: bgstack15
2 Replies

LEARN ABOUT OPENSOLARIS

krb5_auth_rules

krb5_auth_rules(5)					Standards, Environments, and Macros					krb5_auth_rules(5)

NAME

       krb5_auth_rules - overview of Kerberos V5 authorization

DESCRIPTION

       When  kerberized  versions of the ftp, rdist, rcp, rlogin, rsh, telnet, or ssh clients are used to connect to a server, the identity of the
       originating user must be authenticated to the Kerberos V5 authentication system. Account access	can  then  be  authorized  if  appropriate
       entries	exist in the ~/.k5login file, the gsscred table, or if the default GSS/Kerberos authentication rules successfully map the Kerberos
       principal name to Unix login name.

       To avoid security problems, the ~/.k5login file must be owned by the remote user on the server the client is attempting to access. The file
       should contain a private authorization list comprised of Kerberos principal names of the form principal/instance@realm. The /instance vari-
       able  is  optional  in  Kerberos   principal   names.   For   example,	different   principal	names	such   as   jdb@ENG.ACME.COM   and
       jdb/happy.eng.acme.com@ENG.ACME.COM  would  each  be legal, though not equivalent, Kerberos principals. The client is granted access if the
       ~/.k5login file is located in the login directory of the remote user account and if the originating user can be authenticated to one of the
       principals named in the file. See gkadmin(1M) and kadm5.acl(4) for more information on Kerberos principal names.

       When no ~/.k5login file is found in the remote user's login account, the Kerberos V5 principal name associated with the originating user is
       checked against the gsscred table. If a gsscred table exists and the principal name is matched in the table, access is granted if the  Unix
       user  ID listed in the table corresponds to the user account the client is attempting to access. If the Unix user ID does not match, access
       is denied. See gsscred(1M).

       For example, an originating user listed in the gsscred table with the principal name jdb@ENG.ACME.COM and the uid 23154 is  granted  access
       to the jdb-user account if 23154 is also the uid of jdb-user listed in the user account database. See passwd(4).

       Finally, if there is no ~/.k5login file and the Kerberos V5 identity of the originating user is not in the gsscred table, or if the gsscred
       table does not exist, the client is granted access to the account under the following conditions (default GSS/Kerberos auth rules):

	   o	  The user part of the authenticated principal name is the same as the Unix account name specified by the client.

	   o	  The realm part of the client and server are the same, unless the krb5.conf(4) auth_to_local_realm parameter is  used	to  create
		  equivalence.

	   o	  The Unix account name exists on the server.

       For example, if the originating user has the principal name jdb@ENG.ACME.COM and if the server is in realm SALES.ACME.COM, the client would
       be denied access even if jdb is a valid account name on the server. This is because the realms SALES.ACME.COM and ENG.ACME.COM differ.

       The krb5.conf(4) auth_to_local_realm parameter also affects authorization. Non-default realms can be equated with  the  default	realm  for
       authenticated name-to-local name mapping.

FILES

       ~/.k5login     Per user-account authorization file.

       /etc/passwd    System account file. This information may also be in a directory service. See passwd(4).

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ftp(1),	rcp(1),  rdist(1),  rlogin(1),	rsh(1), telnet(1), gkadmin(1M), gsscred(1M), kadm5.acl(4), krb5.conf(4), passwd(4), attributes(5),
       gss_auth_rules(5)

SunOS 5.11							    07 Apr 2006 						krb5_auth_rules(5)
All times are GMT -4. The time now is 11:20 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy