[Date Prev][Date Next]
Re: Limiting finger lookup access on Linux
- To: Rex Roof <firstname.lastname@example.org>
- Subject: Re: Limiting finger lookup access on Linux
- From: "Brett @Google" <email@example.com>
- Date: Sun, 13 Sep 2009 10:48:22 +1000
- Cc: firstname.lastname@example.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ZDuSw4t7P/KdLG6Ru9RDwwr2PwOJ79biLWziH2pxNLw=; b=wS9cSsw7h/y4WMhT6PKE8i32FbfdKOjCeUdMT5NiXPyhI48XGj+qLFcV4hprsATi73 eVlyI/aKsslqnWKrSzMQVVYK3sCgiQchKrwaGp4HiQkdjhmqiBpknbN4L3XMKFOetEJm AuDTg2yJHzGHmeS/aW3Nvs8Le+b4l0XgXqIJE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=xktKWeA43AGzL6tf3r4rud6NlSlYOHyqxjY+7czLkHvXD4bzo/q7ABNEZU5o6U9Pkj 8EzMFF4eEbBgt8PtwybgcJ5Cx+4La0EhPnfnpWQh6i8HhVOMyg4RUXCITQmrDJnvX/XJ Xi1VWklampmWAZq9aJDiDsqzX635MKPGR7mFg=
- In-reply-to: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu>
- References: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu>
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof <email@example.com>
I have some linux machines that I have configured for student access. We are authenticating against our OpenLDAP tree and limiting which users have access via an LDAP groupOfNames. This is all working perfectly.
This is the problem I am having. Any user with access to the system can run the /usr/bin/finger command and do a name search against our entire LDAP tree. I would like to limit the info available via finger to just the users that have access to any particular machine. How can this be controlled?
This sounds more like a firewall / iptables issue to your finger server than anything else ?
Just allow finger port from localhost or the local machine's ip address, and nowhere else.
Or redirect the finger port from "outside" users to a "fake" finger server on another (non-default) port which does not do ldap lookups.