On 07/08/2013 07:44 PM, KodaK wrote:
We've just discovered that AIX does not honor HBAC rules with telnet.
  ssh is fine.

no AIX expericence, but I once overheard someone that did something like
this using pam and apparently you could use the pam_permission module:


so you could add this to /etc/pam.conf

telnet auth requisite /usr/lib/security/pam_permission file=/etc/pam.groups.telnet found=allow

and create the file /etc/pam.groups.telnet with info like this:


in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
denied access.

You could even harden it even more with good old tcp_wrappers
(hosts.allow, hosts.deny).

If you have a config tool (cfengine, puppet, whatever), this could be
quite easy to distribute once properly tested.

Totally untested :-) but maybe worth a shot.


Freeipa-users mailing list

Reply via email to