How to allow or deny telnet login to specific users only in CentOS/RHEL

The login to specific users can be allowed or denied using the file /etc/pam.d/remote. Other network services uses the files /etc/pam.d/sshd or /etc/pam.d/password-auth for allowing or denying the access. Whereas telnet uses the file /etc/pam.d/remote.

Denying telnet login to specific users

1. Add the users you want to deny the telnet login to, in the file /etc/user.deny.

# vi /etc/user.deny
user01
user02
user03

2. Add the following line to the /etc/pam.d/remote file to deny telnet login to users mentioned in /etc/user.deny file in stpe 1.

# vi /etc/pam.d/remote
auth   required  pam_listfile.so  item=user  sense=deny  file=/etc/user.deny  onerr=succeed

Allowing telnet login to specific users

1. To allow specific users, add the below line to the file /etc/pam.d/remote.

# vi /etc/pam.d/remote
auth   required  pam_listfile.so  item=user  sense=allow  file=/etc/user.deny  onerr=succeed

2. To allow telnet access to specific groups, add the below line to the file /etc/pam.d/remote.

# vi /etc/pam.d/remote
auth   required  pam_listfile.so  item=group  sense=allow  file=/etc/user.deny  onerr=succeed

Denying telnet login to specific groups

We can also deny specific groups. Similar to above settings add the below line to the file /etc/pam.d/remote.

# vi /etc/pam.d/remote
auth   required  pam_listfile.so  item=group  sense=deny  file=/etc/user.deny  onerr=succeed

Troubleshooting telnet logins

Before troubleshooting telnet access from remote server, first try to check if telnet login works locally on the server.

# telnet localhost

You can also check if the iptables are turned on for the telnet port.

# iptables -L -t filter

You can allow access to telnet service through iptables, using below command.

# iptables -A INPUT -p tcp --dport 23 -j ACCEPT
Related Post