How can I use PAM to restrict telnet login by user?
Solution 1
You can use pam_succeed_if in your /etc/pam.d/telnet
or similar file:
auth required pam_suceed_if.so user = ${telnet_user} quiet
Where ${telnet_user} is the user allowed to use telnet.
But, if you weren't aware, telnet is a Bad Thing. The allowed account's details can easily be sniffed and may enable other people to use the account. Really do you SSH if at all possible.
Edit: Whoops, fudged the logic. Thanks joeforker.
Solution 2
You could use pam_localuser:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_localuser.html
of for a more flexible approach, pam_listfile:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_listfile.html
Both basically look for allowed/forbidden usernames in a local file and check logins against that.
Related videos on Youtube
Comments
-
joeforker over 1 year
Regrettably I need to enable telnet for a single user on a Linux machine. Everyone else will have to use ssh.
How do I configure PAM to restrict which users may login via the telnet server?
-
AWesley almost 15 years+1 for "telnet is a Bad Thing"
-
Teddy almost 15 yearsUnless, of course, you're using IPsec. Then SSH becomes an unnecessary CPU drain.
-
Dan Carley almost 15 yearsArguably, if you're putting enough data over an interactive shell for it to make the difference, then there's probably a better way to achieve what you're doing.
-
joeforker almost 15 yearsI'm using RHEL5, I added a telnet group and 'auth required pam_succeed_if.so quiet user ingroup telnet' as the second non-comment line in /etc/pam.d/remote. It works!