Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!spool.mu.edu!news.nd.edu!mentor.cc.purdue.edu!woodcock From: woodcock@mentor.cc.purdue.edu (Bruce Sterling Woodcock) Newsgroups: comp.unix.wizards Subject: Re: Limiting Telnet Access Keywords: 3b2 telnet Message-ID: <13248@mentor.cc.purdue.edu> Date: 6 Jun 91 07:49:09 GMT Article-I.D.: mentor.13248 References: <27103@adm.brl.mil> <1991Jun4.230509.3655@mnemosyne.cs.du.edu> Organization: Nicer Mudders for a Better Tomorrow, Inc. Lines: 35 In article <1991Jun4.230509.3655@mnemosyne.cs.du.edu> jscott@isis.UUCP (James Scott) writes: >Anyway, this is our solution: >1.) Make a group called 'telnet'. >2.) chgrp telnet /usr/bin/telnet . >3.) chmod o=,gu=rx /usr/bin/telnet . >4.) Edit your /etc/group file, adding the login names of users who > can use telnet into the last field seperated by commas. >5.) For someone to use telnet, they must first type the command > > $ newgrp telnet >and _then_ > $ telnet > >NOTE: the newgrp command CAN NOT be used in a shell script. >k I don't think this solves the problem. Anyone with a little knowledge of programming... hell, even with a little knowledge of ftp... can use their own copy of telnet or some other client to interface to the net. Sure, it may slow down some people at first, but once word gets out that so-and-so has their own telnet program, you'll be right back to the same situation. My advice: If you want to restrict TCP/IP, remove your machine from the network. Restricting net access to the users is not a very sensible thing, usually, or a nice one. If you *do* want to restrict it, do some kernel hacking. I know of several universities that have restricted the network system calls in this way. Bruce -- | woodcock@mentor.cc.purdue.edu | "That's Bruce for ya, always jumping | | sirbruce@gnu.ai.mit.edu | on the bandwagon, even if it's | | sterling@maxwell.physics.purdue.edu | running over him." -- Xeno | | Bruce@Asylum/CaveMUCK/FurryMUCK | "I view muds as dying." -- Firefoot |