topic Re: How to remove login capability ? in Operating System - HP-UX

How to remove login capability ?

Speedware — Mon, 26 Sep 2005 15:01:19 GMT

Hello,

I do a remove login capability (using telnet or rlogin) for a user but I can su do that user.

For example, I created generic user speedwre but I don't want people to login directly as speedwre. They must first logon as there user then do a su to speedwre.

I am using a hpux 11.23. I hope its clear.

Thanks.

Thanks.

Re: How to remove login capability ?

Rick Garland — Mon, 26 Sep 2005 15:07:06 GMT

You can put the following login in the /etc/profile to prevent the direct login

if [ $LOGNAME == "speedware" ]
then
echo "Please login as yourself and the su to the speedware account"
sleep 3
exit 1
fi

Re: How to remove login capability ?

Geoff Wild — Mon, 26 Sep 2005 15:13:45 GMT

I thi k you need to go to a Trusted System....

You could try this in /etc/profile:

##
Restricted="sybase oracle dba"
for User in $Restricted
do
if [ $User = $LOGNAME ] ; then
if [ "`who -a | grep $$ | awk '{print $8}'`" ]; then
echo Sorry, you must first login with YOUR userid, then type \"su - $LOGNAME\"
sleep 8
exit
fi
fi
done

Rgds...Geoff

Re: How to remove login capability ?

MANOJ SRIVASTAVA — Mon, 26 Sep 2005 15:15:13 GMT

Hi Speedware

What we do is to restrict diorect logins of SA's and DBA's , we add the following in /etc/profile

loginid=`who am i | awk '{print $1}'`

echo $loginid
if [ $loginid = oracle ]
then
exit
fi

echo $loginid
if [ $loginid = root ]
then
exit
fi
and that way the user don directly log in , and su collects the log.

Manoj Srivastava

Re: How to remove login capability ?

baiju_3 — Mon, 26 Sep 2005 15:21:49 GMT

Instead of setting this for individual user's .profile what we do is to execute

if [ -f /etc/no_login_allowed.sh ] ; then
. /etc/no_login_allowed.sh
fi

script from /etc/profile .We add all the users for which direct log in is not allowed in /etc/no_login.allowed .

the /etc/no_login_allowed.sh executes logname command and greps the logname from /etc/no_login.allowed .If it finds then exit .

By this method you can reduce your hassle to set for each user .

Thanks,
BL.

Re: How to remove login capability ?

Steven E. Protter — Mon, 26 Sep 2005 15:22:50 GMT

Note that no matter what solution you use beside /usr/bin/false as the shell, its theoretically possible for the user to break out of the shell and gain command line access.

SEP

Re: How to remove login capability ?

Rick Garland — Mon, 26 Sep 2005 15:30:35 GMT

SEP has a point.

Add the following traps to the logic

if [ $LOGNAME == "speedware" ]
then
trap 1 2 3 15
echo "Please login as yourself and the su to the speedware account"
sleep 3
exit 1
fi

Re: How to remove login capability ?

Speedware — Mon, 26 Sep 2005 15:33:36 GMT

Cool,
Thanks for the quick response.

I like the solutions. But I was hoping something built-in into HP-UX like a extra parameter into the /etc/passwd file.

I am going to implement it.

I don't really mind if they can break the shell as long as I know who they are on system.

Re: How to remove login capability ?

Nick Wickens — Mon, 26 Sep 2005 15:41:09 GMT

It might be worth explaining exactly what your requirement is for wanting to do this as there may be other options you can use.

I seem to recall that sudo can be configured to run processes as users other than just root and if its a specific process that needs to run as that user then more investigation into the configuration of sudo may be worthwhile.

Re: How to remove login capability ?

Speedware — Mon, 26 Sep 2005 15:45:03 GMT

I don't want people to use generic user to get on the system. That's basically what I want.

Re: How to remove login capability ?

Nick Wickens — Mon, 26 Sep 2005 15:57:58 GMT

Then sudo may be of some use as you can allow them to run a new shell as if they were the generic user without the need to know the generic users password.

I have done something similar in the past for a generic informix user as you can wrap scripts around the routine to report on which user is using the id and sudo will maintain its own logs.

Do you have sudo installed - Its available from here if you don't have it.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/

Re: How to remove login capability ?

Speedware — Mon, 26 Sep 2005 16:00:14 GMT

I will take a look at it.

Thanks.

Re: How to remove login capability ?

Arunvijai_4 — Mon, 26 Sep 2005 22:47:56 GMT

Sudo is part of HP Internet Express as well, It is compiled with more options, You can download from

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123

-Arun

Re: How to remove login capability ?

Jeff Lightner_1 — Tue, 27 Sep 2005 07:22:03 GMT

Just change the shell portion of the /etc/passwd entry to /bin/false. That will prevent su and any other login from being succesful. This is because on invocation it will execute /bin/false.

Also due to this it will never read /etc/profile, /etc/login, .profile or .login. Solutions saying to update those risk people being able to break out if they hit ctrl-C quickly enough.

Re: How to remove login capability ?

Ratzie — Tue, 27 Sep 2005 09:50:46 GMT

Just a thought, but if you change to ssh login only, you can specify in the sshd_config file
DenyUsers user1 user2 whoever