[Summary] - RE: novice /etc/hosts.equiv question

From: rouellet@ebmail.gdeb.com
Date: Wed Mar 08 2000 - 21:01:49 CST


Thanks to all of you that replied and set me straight on the .rhost and
hosts.equiv files!! We receive a LOT of feedback on this and decided to
use the following as suggested by Tim.

1. chance the nsswitch passwd entry to "files nis" on the local
machine(apps/database server)
2. use ypmatch to get the users nis passwd information and add it to the
local /etc/passwd file.
3. change the shell in the local passwd file to some nonexistent shell such
as /bin/false or /bin/noshell ...

By changing the switch file the system looks at the local /etc/passwd file
when trying to authenticate a user and finds the user has no shell and
denies them access.

We also commented out some of the undesired services from the inetd.conf
file on some of the servers as well.

Some of the other suggestions are listed below.

A. "Tcp wrappers will lock out certain applications (like telnet, ssh,
rlogin, rsh)."
B. "If users are logging via telnet, please use the tcpwrappers file
hosts.allow and hosts.deny. If you want to say keep out except from
129.85.2 lets say, then your hosts.* files shoudl look like this:"
     hosts.allow should have
     :ALL:ALL EXCEPT 129.85.2.

C. Wish we could have used this one.

     "touch /etc/nologin"
     no one but root can log in.
     "rm /etc/nologin"
     everyone can log in again.

-rob



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:04 CDT