Blocking user login and su only

Blocking user login and su only

Post by Shahry » Sat, 20 Apr 2002 03:18:57



Hi everyone,

I need to have a generic user name and password for my systems however
I don't want users to use this user name and password to log in.

Users need to be able to su to this generic user to stop/start
processes and in fact some startup scripts su to this user before
starting up some processes. Is there any way to block any account but
at the same time being able to su to the account.

Thank you,
ST

 
 
 

Blocking user login and su only

Post by Chris » Sat, 20 Apr 2002 03:46:02


RBAC

ChrisV


Quote:> Hi everyone,

> I need to have a generic user name and password for my systems however
> I don't want users to use this user name and password to log in.

> Users need to be able to su to this generic user to stop/start
> processes and in fact some startup scripts su to this user before
> starting up some processes. Is there any way to block any account but
> at the same time being able to su to the account.

> Thank you,
> ST


 
 
 

Blocking user login and su only

Post by Barry Margoli » Sat, 20 Apr 2002 03:39:09




>Hi everyone,

>I need to have a generic user name and password for my systems however
>I don't want users to use this user name and password to log in.

>Users need to be able to su to this generic user to stop/start
>processes and in fact some startup scripts su to this user before
>starting up some processes. Is there any way to block any account but
>at the same time being able to su to the account.

I think you can use "sudo" to accomplish this.

--

Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Blocking user login and su only

Post by Reid Ear » Sat, 20 Apr 2002 23:14:08


Quote:> I need to have a generic user name and
> password for my systems however I
> don't want users to use this user name
> and password to log in.

I believe I understand what you're asking. You don't want the
"special" account to login directly to the box. You want to force
users to su to that account - which is nice because it creates an
audit trail.  Here is how we do it.

First, we make all user accounts use /bin/ksh as their default shell.
This means that when they login, the /etc/profile file is executed.

Second, we modify /etc/profile. If the user's shell is ksh, it
compares their login ID to a special file. This file is a list of
usernames which are NOT allowed to login directly. This file would
contain the name of your "special" account.  If /etc/profile
determines that the "special" account is attempting to login directly
via telnet or SSH, it displays a warning message and kicks them off
the system.

This is fairly simple and crude, but it works suprisingly well.  Let
me know if you'd like to see the shell code and I can e-mail it to
you.

I hope this helps.

 
 
 

Blocking user login and su only

Post by Shahry » Tue, 23 Apr 2002 00:53:59


Thanks Reid. Please send your shell script to my email address.


> > I need to have a generic user name and
> > password for my systems however I
> > don't want users to use this user name
> > and password to log in

> I believe I understand what you're asking. You don't want the
> "special" account to login directly to the box. You want to force
> users to su to that account - which is nice because it creates an
> audit trail.  Here is how we do it.

> First, we make all user accounts use /bin/ksh as their default shell.
> This means that when they login, the /etc/profile file is executed.

> Second, we modify /etc/profile. If the user's shell is ksh, it
> compares their login ID to a special file. This file is a list of
> usernames which are NOT allowed to login directly. This file would
> contain the name of your "special" account.  If /etc/profile
> determines that the "special" account is attempting to login directly
> via telnet or SSH, it displays a warning message and kicks them off
> the system.

> This is fairly simple and crude, but it works suprisingly well.  Let
> me know if you'd like to see the shell code and I can e-mail it to
> you.

> I hope this helps.

 
 
 

Blocking user login and su only

Post by Simon Eva » Tue, 23 Apr 2002 19:47:03


Can't you just put a *LK* in the passwd field of the /etc/shadow file
? This denies a login but lets you su to it ?
 
 
 

Blocking user login and su only

Post by Shahry » Tue, 23 Apr 2002 22:45:42



> Can't you just put a *LK* in the passwd field of the /etc/shadow file
> ? This denies a login but lets you su to it ?

Nope, If I Disable user I can only su to it by loging as root. I need
normal users to be able to su to the account.
 
 
 

Blocking user login and su only

Post by Jeff Park » Sat, 27 Apr 2002 16:09:29




> > Can't you just put a *LK* in the passwd field of the /etc/shadow file
> > ? This denies a login but lets you su to it ?

> Nope, If I Disable user I can only su to it by loging as root. I need
> normal users to be able to su to the account.

Forgive my ignorance but I thought that if the user had the account
password then they could su to any user.