Operating System - HP-UX
1748274 Members
4272 Online
108760 Solutions
New Discussion юеВ

Re: Disable telnet/ssh login for certain user

 
SOLVED
Go to solution
Sajjad Ali_1
Occasional Advisor

Disable telnet/ssh login for certain user

Need urgent help!!!
Hi,
I have an application that runs under a regular unix ID 'prod1'. I want to disable direct login for 'prod1' via ssh or telnet. But I do want some users to be able to su to prod1 and do application maintainence tasks. How can I accomplish that? Also the above scnerio is possible, then where do I define which users are allowd to su to prod1.

If anyone can answer this quickly, I would greatly appreciate it.

Thanks,
Tony
15 REPLIES 15
Steven E. Protter
Exalted Contributor

Re: Disable telnet/ssh login for certain user

Change the shell in /etc/passwd to /usr/bin/false

This will disable login completely.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
RAC_1
Honored Contributor

Re: Disable telnet/ssh login for certain user

Put some code in /etc/profile. Something as follows.

uid=$(id -u)
if [[ ${uid} = "uid_of_user" ]]
then
echo "No direct logins"
else
echo "giving login"
fi

Anil
There is no substitute to HARDWORK
Sajjad Ali_1
Occasional Advisor

Re: Disable telnet/ssh login for certain user

changing to /usr/bin/false wouldn't let anyone su to that userid.

Anil, your suggestion will solve who can and cannot su to that username. Thanks.

However, how do I disable direct login of prod1, yet still allow certain user to su to prod1 and prod1 would still be able to run jobs/scripts. Any solution to this? Thanks.
RAC_1
Honored Contributor

Re: Disable telnet/ssh login for certain user

sudo comes to my mind. Here is how you can do it. Put the code that I gave in /etc/profile. this would not allow direct login and su (this code will also su prod1, but not su - prod1, cause in second command /etc/profile gets executed)

So configure sudo for all those users with the commands that they need to run as prod1.

"user1" ALL=(prod1) /xxx/prod1_command1 /yyy/prod1_command2

Now you run these programs as follows.

sudo /xxx/prod1_command
In this case /xxx/prod1 command will run under prod1 by user "user1"

man pages of sudo and visudo


Anil
There is no substitute to HARDWORK
Sajjad Ali_1
Occasional Advisor

Re: Disable telnet/ssh login for certain user

Anil,

I have tried putting your code in the /etc/profile, but the user prod1 is still being allowed to login directly.

uid=$(id -u)
if [[ ${uid} = "109" ]]
then
echo "This id is not allowed to login directly"
else
echo "giving login"
#set enviroment.

.................
................. etc. etc.

fi


What am I doing wrong? Thanks.
RAC_1
Honored Contributor

Re: Disable telnet/ssh login for certain user

Correction in code.

uid=$(id -u)
if [[ ${uid} -eq "109" ]]
then
echo "This id is not allowed to login
directly"
exit 1
else
echo "giving login"
fi

Did you check second post??
There is no substitute to HARDWORK
Darrel Louis
Honored Contributor

Re: Disable telnet/ssh login for certain user

Hi,

Do you have sudo installed on your Server.
With sudo you can define who's able to su to prod1.

Good Luck

Darrel
Mark Nieuwboer
Esteemed Contributor

Re: Disable telnet/ssh login for certain user

Hi,

We have don something different.
We make a file /etc/not_loginable and in this file we put the application users.

Then in the /etc/profile we put the following code.
# custom code for denying generic account login
if logname > /dev/null 2>&1
then
LGNM=`logname`
if egrep "^${LGNM}$" /etc/not_loginable > /dev/null 2>&1
then
echo "\nDirect login not allowed for $LGNM\n"
sleep 2 # For display on ssh-login #
echo "\nNO remote login allowed for $LGNM (`date '+%D %T'`)\n" |
logger -p user.err -t NOT_LOGINABLE
exit 1
fi
fi

When you login under your own account you are able to su to the user.

grtz. Mark
Gordon  Morrison
Trusted Contributor

Re: Disable telnet/ssh login for certain user

See this thread. I think it has the answer you want.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=825287
What does this button do?