Selectively blocking user logins?

Selectively blocking user logins?

Post by Steve in P » Sun, 07 Jul 2002 05:11:42



I have several Solaris 7 and Solaris 8 production servers that turn
into number-crunchers several times a month during heavy production
processing.  I need to devise a way to selectively deny [most] users
from logging into these systems at these times, yet still allow other
critical support personnel to logon.  The problem I have now is that
some users log on during heavy processing to do compiles or run test
jobs, which slows down our production processes.

Is there an easy way to either script this function or use existing
Solaris methods to block logins at these times?

How would _you_ do it??  I'm pondering these ideas:
  -Use a script to dynamically change user shells to /bin/false in
/etc/passwd?
  -Modify the Solaris login binaries?  Is this feasible?
  -Restrict by location - not possible as it would restrict admins
too.

-Steve in Phx.

 
 
 

Selectively blocking user logins?

Post by p.. » Sun, 07 Jul 2002 05:25:22



Quote:> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.  The problem I have now is that
> some users log on during heavy processing to do compiles or run test
> jobs, which slows down our production processes.
> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?
> How would _you_ do it??  I'm pondering these ideas:
>   -Use a script to dynamically change user shells to /bin/false in
> /etc/passwd?
>   -Modify the Solaris login binaries?  Is this feasible?
>   -Restrict by location - not possible as it would restrict admins
> too.

If "normal" methods like /etc/motd is not respected ( guess you have
tried that) a number of suggestions :

- You could reduce their quota to a number lower then current
  benefit, easily scriptable

- have a script that changes this users shell to /bin/nologin
-  if their shell respects a globel /etc/rc / /etc/login put the logic here
  won't work if the users are knowledhebal

- use NIS for userid/passwd, set up a speciasl NIS server for thses machines
  ( more easy to manipulate the passwd map then to manipulate the /etc/passwd)

- i do not know the state of PAM in solaris, but you might find a hook there,
  especially if all the affected users belong to one group.

But i would try the person-to-person convincing way, maybe to the
price of allocation another machine for these persons ( the might
have the opinion that _they also_ has an importent job.

> -Steve in Phx.


--
Peter H?kanson        
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
           remove "icke-reklam" if you feel for mailing me. Thanx.

 
 
 

Selectively blocking user logins?

Post by Steve Bellen » Sun, 07 Jul 2002 06:03:03




Quote:>I have several Solaris 7 and Solaris 8 production servers that turn
>into number-crunchers several times a month during heavy production
>processing.  I need to devise a way to selectively deny [most] users
>from logging into these systems at these times, yet still allow other
>critical support personnel to logon.  The problem I have now is that
>some users log on during heavy processing to do compiles or run test
>jobs, which slows down our production processes.

>Is there an easy way to either script this function or use existing
>Solaris methods to block logins at these times?

>How would _you_ do it??  I'm pondering these ideas:

I run nis so this is a nis solution:
I put the sysadmin's into a netgroup `sysadmin'


+:x:::::/opt/bin/nothere

/opt/bin/nothere politely suggests other machines to use and exits.
People in sysadmin get their usual shell, everyone else gets the not-here
shell. Deleting `/opt/bin/nothere' allows everyone back on.

nsswitch has to be changed to
passwd: compat
for this to work.
--
http://www.math.fsu.edu/~bellenot
bellenot <At/> math.fsu.edu
+1.850.644.7189 (4053fax)

 
 
 

Selectively blocking user logins?

Post by Rev. Don Koo » Sun, 07 Jul 2002 06:14:03



> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.  The problem I have now is that
> some users log on during heavy processing to do compiles or run test
> jobs, which slows down our production processes.

> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?

> How would _you_ do it??  I'm pondering these ideas:
>   -Use a script to dynamically change user shells to /bin/false in
> /etc/passwd?
>   -Modify the Solaris login binaries?  Is this feasible?
>   -Restrict by location - not possible as it would restrict admins
> too.

        Create two versions of the "/etc/passwd" and "/etc/shadow" files and have
a cron job swap the two when you want to block regular users.

                Hope this helps,
                        Don

--
***********************      You a bounty hunter?
* Rev. Don McDonald   *      Man's gotta earn a living.
* Baltimore, MD       *      Dying ain't much of a living, boy.
***********************             "Outlaw Josey Wales"

 
 
 

Selectively blocking user logins?

Post by Kjetil Torgrim Homm » Sun, 07 Jul 2002 06:31:21


[Steve in Phx]:

Quote:

>   Is there an easy way to either script this function or use
>   existing Solaris methods to block logins at these times?

>   How would _you_ do it??

the traditional method is to use NIS, "passwd: compat" in
nsswitch.conf and netgroups.  an example:

  # cat /etc/passwd
  root:x:0:1:Super-User:/:/sbin/sh
  uucp:x:5:8:uucp Admin:/usr/lib/uucp:
  nobody:x:60001:60001::/:/bin/sync


  +:*:::::/local/etc/shells/nologin

--
Kjetil T.      /XXX\   /XXX\   /XXX\   /XXX\ /XX\  /XX\  /XX\  /XX\  ///
              ///X\\\ ///X\\\ ///X\\\ ///X\\///\\\///\\\///\\\///\\\///
             //// \\\X/// \\\X/// \\\X/// \XX/  \XX/  \XX/  \XX/  \XX/
            ////   \XXX/   \XXX/   \XXX/     http://folding.stanford.edu

 
 
 

Selectively blocking user logins?

Post by Nicholas Bachman » Sun, 07 Jul 2002 06:31:39



> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.  The problem I have now is that
> some users log on during heavy processing to do compiles or run test
> jobs, which slows down our production processes.

> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?

> How would _you_ do it??  I'm pondering these ideas:

I'd change all the user's shells to a custom script, like /bin/canilogin
and just edit that.  When users can login, make the script be:
#!/bin/sh

/bin/ksh #or whatever shell

when they aren't supposed to login:
#!/bin/sh

echo "Hey, hey, go away!" #or something polite :-)

If you wanted to get fancy, do something like:
#!/bin/sh

if [ -e /etc/nologins ]
then
echo "Hey, hey, go away!"
else /bin/ksh

And if you wanted to impress people at parties, make a cron job that
makes or removes /etc/nologins based on the system load.

Creating a script and editing it is safer then editing your passwd file
every time you want to allow or disallow logins, as messing up the
passwd file can be very bad, but not letting lusers login until you fix
a script isn't so horrible ;-).

Be sure you write a man page (use the manedit, Luke) or something to
ensure that future SysAdmins know what's going on.  Or don't, and call
it job security (but maybe I'm just bitter over that happening to me).

--
+ http://www.not-real.org/~nick                                   +
+ How valuable is my contribution? Share your feedback at Affero: +
+ http://svcs.affero.net/rm.php?r=nick                            +

 
 
 

Selectively blocking user logins?

Post by Alan Coopersmi » Sun, 07 Jul 2002 07:53:24



|I have several Solaris 7 and Solaris 8 production servers that turn
|into number-crunchers several times a month during heavy production
|processing.  I need to devise a way to selectively deny [most] users
|from logging into these systems at these times, yet still allow other
|critical support personnel to logon.  The problem I have now is that
|some users log on during heavy processing to do compiles or run test
|jobs, which slows down our production processes.

If there's a budget to solve these problems, you might look at:
        http://wwws.sun.com/software/resourcemgr/index.html

Otherwise, I'd go with the passwd file solutions mentioned earlier.

--
________________________________________________________________________


  Working for, but definitely not speaking for, Sun Microsystems, Inc.

 
 
 

Selectively blocking user logins?

Post by Andreas Borche » Sun, 07 Jul 2002 09:34:14



> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.

How about running two ssh daemons, one of them at a non-standard port
and shutting off the standard port at the times of heavy production
processing? You can easily restrict the non-standard port sshd to a set
of users.

Andreas.

--
Andreas Borchert, Universitaet Ulm, SAI, Helmholtzstr. 18, 89069 Ulm,  Germany

WWW:    http://www.mathematik.uni-ulm.de/sai/borchert/
PGP:    http://www.mathematik.uni-ulm.de/sai/borchert/pgp.html

 
 
 

Selectively blocking user logins?

Post by Petr Swedoc » Sun, 07 Jul 2002 10:30:50



<snip>

Quote:> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?

> How would _you_ do it??  I'm pondering these ideas:
>   -Use a script to dynamically change user shells to /bin/false in
> /etc/passwd?

Any conceivable script would need root privileges somehow. I
distrust that. Also, you'll need to add bits to the script
for account creation and deletion and attendant safety issues
there, i.e.: deleting the right accounts and seeing that it
doesn't get re-enabled on the next dynamic change.

Quote:>   -Modify the Solaris login binaries?  Is this feasible?

Sure. But why?  Too much buck, not enough bang.  It's conceivable
to use ssh and dynamically change the sshd_config file to all some
subset of the passwd file.  

Quote:>   -Restrict by location - not possible as it would restrict admins
> too.

If this is enough of a problem then you probably want to start looking
at discrimating use on a more permanent basis. As has been mentioned,
NIS can make use of the 'netgroup' list.  If it were me (and you did
ask what *I* would do... =-) I'd have dedicated compile/test machines
and dedicated production machines. It's how it's done in many places.
Use of the netgroup can make it very effective.

My choice would be to put each machine/group-of-machines in one of
three categories: production; prototype; and sandbox. Production for
the stable, needs-to-work, stuff. Prototype for testing, compiling
and config-bashing. Sandbox for the deliberate, 'what-happens-when-
I-do-this-thing-the-vendor-said-not-to-do' type of thing.  Then,
allow access to production for admins only, etc...

'Course, I don't know enough about the situation to say if this is
feasible for you...

Peace,

Petr

 
 
 

Selectively blocking user logins?

Post by Johan Magnusso » Sun, 07 Jul 2002 20:26:51



    Alan> comp.unix.solaris: |I have several Solaris 7 and Solaris 8
    Alan> production servers that turn |into number-crunchers several
    Alan> times a month during heavy production |processing.  I need
    Alan> to devise a way to selectively deny [most] users |from
    Alan> logging into these systems at these times, yet still allow
    Alan> other |critical support personnel to logon.  The problem I
    Alan> have now is that |some users log on during heavy processing
    Alan> to do compiles or run test |jobs, which slows down our
    Alan> production processes.

    Alan> If there's a budget to solve these problems, you might look
    Alan> at: http://wwws.sun.com/software/resourcemgr/index.html

Or, as an alternative solution, have a look at

http://www.aurema.com/products/products.htm

for the Aurema ARMTech resource manager. A further development of the
product used by Sun.

//Johan

--

Lysator ACS, Linkoping University, Sweden    Work:   +46-(0)8-5888 8315

 
 
 

Selectively blocking user logins?

Post by /dev/nul » Sun, 07 Jul 2002 22:02:36



> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.

Hi

Have a look here:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xbdb879bffde7d4118fef...

...there's a snippet of shell code suitable for your purposes. Search
down the page for "/etc/not_loginable"

Put the code in /etc/profile, customise it to your liking and manage
access via /etc/not_loginable.

I use this in a production environment to deny access to generic
accounts (forcing app administrators to su to the app account.) I think
it would be ideal for your purposes too.

HTH

 
 
 

Selectively blocking user logins?

Post by Robert Heuse » Mon, 08 Jul 2002 08:48:04



> I have several Solaris 7 and Solaris 8 production servers that turn
> into number-crunchers several times a month during heavy production
> processing.  I need to devise a way to selectively deny [most] users
> from logging into these systems at these times, yet still allow other
> critical support personnel to logon.  The problem I have now is that
> some users log on during heavy processing to do compiles or run test
> jobs, which slows down our production processes.

> Is there an easy way to either script this function or use existing
> Solaris methods to block logins at these times?

> How would _you_ do it??  I'm pondering these ideas:
>   -Use a script to dynamically change user shells to /bin/false in
> /etc/passwd?
>   -Modify the Solaris login binaries?  Is this feasible?
>   -Restrict by location - not possible as it would restrict admins
> too.

> -Steve in Phx.


The real issue is to prevent people from starting any process that is
consuming a lot of resources, (as opposed to preventing logins),
i.e. when you start the period where the machine turns into a
number-cruncher, you have to deal with those who are loged in
already: Imagine user foobar has started his terminal session yesterday,
then none of the techniques described in other answers
to your post will inform Mr. foobar that he shall not start any
compilations between 8:30 and 12:30 today. (Even if you have
set up your environment so that shells terminate after 60s of inactivity,
users know how to fool this...).

The manual solution would be to do a who

NAME    LINE   TIME         IDLE   PID  COMMENTS
     martha  ttyp3  Apr 16 08:14 16:25  2240
     george  ttyp0  Apr 17 07:33   .   15182

and then phone george and martha...

A scripted solution would extract the login names and send mails to
george and martha (assuming that peolple login using their
personal accounts rather than some generic compile-account) or even kill
evrything which is attached to either ttyp3 or
ttyp0 (definitely a not-so-polite solution)

cheers
Robert

 
 
 

Selectively blocking user logins?

Post by David Com » Tue, 30 Jul 2002 18:36:39


Going through about-to-expire articles, and I saw
this one.






>> > I have several Solaris 7 and Solaris 8 production servers that turn
>> > into number-crunchers several times a month during heavy production
>> > processing.  I need to devise a way to selectively deny [most] users
>> > from logging into these systems at these times, yet still allow other
>> > critical support personnel to logon.  The problem I have now is that
>> > some users log on during heavy processing to do compiles or run test
>> > jobs, which slows down our production processes.

>> > Is there an easy way to either script this function or use existing
>> > Solaris methods to block logins at these times?

>> > How would _you_ do it??  I'm pondering these ideas:
>> >   -Use a script to dynamically change user shells to /bin/false in
>> > /etc/passwd?
>> >   -Modify the Solaris login binaries?  Is this feasible?
>> >   -Restrict by location - not possible as it would restrict admins
>> > too.

>> The real issue is to prevent people from starting any process that is
>> consuming a lot of resources, (as opposed to preventing logins),
>> i.e. when you start the period where the machine turns into a
>> number-cruncher, you have to deal with those who are loged in
>> already: Imagine user foobar has started his terminal session yesterday,
>> then none of the techniques described in other answers
>> to your post will inform Mr. foobar that he shall not start any
>> compilations between 8:30 and 12:30 today. (Even if you have
>> set up your environment so that shells terminate after 60s of inactivity,
>> users know how to fool this...).

>> The manual solution would be to do a who

>> NAME    LINE   TIME         IDLE   PID  COMMENTS
>>      martha  ttyp3  Apr 16 08:14 16:25  2240
>>      george  ttyp0  Apr 17 07:33   .   15182

>> and then phone george and martha...

>> A scripted solution would extract the login names and send mails to
>> george and martha (assuming that peolple login using their
>> personal accounts rather than some generic compile-account) or even kill
>> evrything which is attached to either ttyp3 or
>> ttyp0 (definitely a not-so-polite solution)

>When the production MRP system when down for backups, people were kicked
>off the system without warning.  The time backups are done is documented
>and that the system is _down_ at that time.  A perl script runs which
>queries the database to terminate connections to it in an orderly manner.
>Then a script which terminates remote sessions and disables telnet
>connections runs.  Only the operator on the console can log in.  Mirrors
>are broken and a backup is started.  When they complete, mirrors are
>resync-ed and telnet access is restored.

>"Sometimes I get more results with a kind word and a 2x4 than with a
>kind word alone..."

Even better might be a nice word; just nice them to hell?

David

 
 
 

1. How to selectively block caching w/ Apache?

I am not very familiar with Apache configuration. I am trying to
find out whether it is possible to have it issue a "Don't cache
this" directive only for pages taken from specified trees. Any
pointers would be appreciated.

Thanks,

-- O.L.

PS: I am still at 1.2b6 but could upgrade to 1.3 if necessary.

Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.

2. Fdisk problems

3. Blocking Just Remote User Logins

4. All keywords for whom help is available thru man ? (Newbie)

5. How to block login to a machine for certain users?

6. GCC 6.2.3 Headers problem on Solaris 2.3

7. how do I block user logins?

8. Webcam Intel CS330 USB!!

9. Blocking user login and su only

10. To block user login by NIS

11. Using robots.txt to selectively allow robots but not users?

12. Users executing Privileged commands selectively

13. getting users login name after login from server