topic Restrict Direct Login in Operating System - HP-UX

Restrict Direct Login

Global Server Operation — Wed, 29 Mar 2006 19:45:35 GMT

Is there a way to configure ssh to disable remote login access for a non-root user (a DBA), so the user is required to login with an individual account and su to the DBA ID?

OS is 11.i.

Re: Restrict Direct Login

Richard Allen — Wed, 29 Mar 2006 20:24:50 GMT

man sshd on my 11.11 system has:

Regardless of the authentication type, the account is checked to
ensure that it is accessible. An account is not accessible if it is
locked, listed in DenyUsers or its group is listed in DenyGroups .

Also, cant you just replace the password field in /etc/passwd (assuming you are not using shadow passwords or trusted mode) with a * for that DBA user thus forcing all users to log in as them selves and then using su ?

Re: Restrict Direct Login

Rajeev Shukla — Wed, 29 Mar 2006 20:36:11 GMT

I dont see a way. You cant restrict a user to not login through ssh unless you make the shell as nologin but in your case you cant do that as its DBA administrator login.

The Only solution in my mind for your problem is by hiding the password of DBA with you, so no one can login and when then want to su to DBA account let them use sudo to do that.

Re: Restrict Direct Login

Prashant Zanwar_4 — Wed, 29 Mar 2006 21:09:13 GMT

It is possible by not giving the password to such accounts and keep accounts locked..
Only sudo to account will be allowed this way..
Configuring sudoers is better way.. I dont know a way through ssh..

Hope it helps
Thanks
Prashant

Re: Restrict Direct Login

Patrice Le Guyader — Thu, 30 Mar 2006 00:37:44 GMT

Demat,

Under the authentication section in the sshd_config file add a
line to deny users like this:

-----------------------------------------
# Authentication:

#LoginGraceTime 600
PermitRootLogin no
DenyUsers titi toto tutu tata <----
#StrictModes yes
-------------------------------------

You can also restrict users at the group level but note that this does not
stop anyone from logging in as themselves and SU'ing to the user that is not
allowed in,( assuming they know the password).

$ man sshd_config
[snip]
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. `*' and `'? can be used as wildcards
in the patterns. Only user names are valid; a numerical user ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.

Hope this helps
Pat

Re: Restrict Direct Login

Global Server Operation — Thu, 30 Mar 2006 06:57:28 GMT

Thanks. I will give it a try.

Re: Restrict Direct Login

Alzhy — Thu, 30 Mar 2006 14:14:57 GMT

Or if you want to restrict what logins can ssh login:

AllowUsers larry,curly,moe

If you've a need to restrict SSH direct login and restrict root login to the console and follow /etc/securetty. OpenSSH 4.2p1 (or the latest HP Secure Shell) now finally plugs this hole. Simply add:

EnforceSecureTTY yes

With this, root will no longer be able to ssh direct - BUT will still be able to do "ssh server some-command".

Re: Restrict Direct Login

Rick Garland — Thu, 30 Mar 2006 14:34:13 GMT

Depending on what version of 11.i you have, look into RBAC (Role Based Access Control)

Provides greater granularity for these types of controls.