HPE Community
Operating System - HP-UX
1758557 Members
2060 Online
108872 Solutions
New Discussion юеВ

How to lock account such that you can only su into it

 
SOLVED
Go to solution
Mike Smith_33
Super Advisor

тАО11-02-2005 07:59 AM

тАО11-02-2005 07:59 AM

How to lock account such that you can only su into it

Here's some easy points for someone. We have an account that we want to lock so that no one can do a regular login to the account. You must do an su to get in.

The account already exists and now that everything is set, we want to lock it down.

This is hp ux 11i ver1, please provide steps.
0 Kudos
9 REPLIES 9
HGN
Honored Contributor

тАО11-02-2005 08:19 AM

тАО11-02-2005 08:19 AM

Re: How to lock account such that you can only su into it

Hi

If this is a trusted system then the account will get locked by someone providing a wrong passwd(based on the settings in the policies)
you can use sam or getprpw command to set

Rgds

HGN
0 Kudos
Mike Smith_33
Super Advisor

тАО11-02-2005 08:21 AM

тАО11-02-2005 08:21 AM

Re: How to lock account such that you can only su into it

I am not sure I understand the reply H. What I want is to set the account so that it can only be accessed by su, not by regular login.
0 Kudos
Jeff_Traigle
Honored Contributor

тАО11-02-2005 08:49 AM

тАО11-02-2005 08:49 AM

Solution

Re: How to lock account such that you can only su into it

Assuming you're on a trusted system and have sudo installed, you should be able to utilize the following information from su(1):

"Except for user root, users on a trusted system cannot use su to change to an account that has been locked because of expired passwords or other access restrictions."

So, theoretically, you could lock the account and set up the sudoers file to allow certain users to do "sudo su - ".

There's no direct way to do what you want for regular user accounts that I'm aware of.
--
Jeff Traigle
0 Kudos
Jeff_Traigle
Honored Contributor

тАО11-02-2005 08:53 AM

тАО11-02-2005 08:53 AM

Re: How to lock account such that you can only su into it

Hmmm... in fact, that might even work on a regular system. Presumably, since root can su without a password, it could su to an account that's locked. I think I did that a number of years ago on 9.X and 10.20 systems I was testing some Xterminal problems on and I had those Xterminal accounts locked. Worth a try either way.
--
Jeff Traigle
0 Kudos
Mike Smith_33
Super Advisor

тАО11-02-2005 08:55 AM

тАО11-02-2005 08:55 AM

Re: How to lock account such that you can only su into it

Jeff, it looks like you haven't solved the problem but pointed out that what I am trying to do won't work.
0 Kudos
Rick Garland
Honored Contributor

тАО11-02-2005 09:26 AM

тАО11-02-2005 09:26 AM

Re: How to lock account such that you can only su into it

A trusted ot untrusted system, give the account a strong passwd that is not known to other individuals. Set up sudo so users can su to the account.

Or, setup the account so that it is locked, then 'sudo su - '
0 Kudos
Mike Smith_33
Super Advisor

тАО11-02-2005 09:39 AM

тАО11-02-2005 09:39 AM

Re: How to lock account such that you can only su into it

Looks like sudo is the way to go.
0 Kudos
Con O'Kelly
Honored Contributor

тАО11-02-2005 09:42 AM

тАО11-02-2005 09:42 AM

Re: How to lock account such that you can only su into it

Hi Mike

There is no method to do this on HP-UX.
You can setup your own check so that prior to login all users are checked to ensure that they are allowed to directly login.

Add some code similar to the following in your /etc/profile file.

# Prevent direct logins to privileged accounts
USER=$(who am i | awk '{ print $1 }')
grep -q "^${USER}" /etc/su_only.txt
if [ $? = 0 ]
then
echo "No direct Login Allowed. Login with your own username and then su to $USER"
sleep 5
exit
fi

Add all logins to /etc/su_only.txt that you want to allow su only access as follows:

Cheers
Con
0 Kudos
Don Mallory
Trusted Contributor

тАО11-03-2005 12:50 AM

тАО11-03-2005 12:50 AM

Re: How to lock account such that you can only su into it

Con, that's an interesting way around it, but if you use ssh and enable execution of commands, you can run:

ssh lockeduser@host sh

this will run a shell as the user on the other system, but won't run the /etc/profile.

It's even worse if the user has scripts in their home directory and automounting of /home is on. The user can run scripts in their home remotely on the system with no way of stopping them.

I've seen your method used to block users from getting into the compute nodes on a cluster, they were supposed to run everything from the job management node, but liked to jump around it and steal cpu time from other users.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.