https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847409#M274345 Thank you all for the response. I did the easier one to create a new .profile with exit 0 and tell the users to do as Kapil Raj<BR />suggested. It is working.<BR /><BR /><BR />Thanks Tue, 22 Aug 2006 17:53:49 GMT dgizaw 2006-08-22T17:53:49Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847397#M274333 Hi every body,<BR /><BR />How do I disable user from logging directly by application userid? I want the user to login as him/her self and su to application. If somthing happens I will be able to trace who logged in at that time.<BR /><BR />Thanks Mon, 21 Aug 2006 11:03:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847397#M274333 dgizaw 2006-08-21T11:03:06Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847398#M274334 Hi,<BR /><BR />Take a look at this thread:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=1048593" target="_blank">http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=1048593</A><BR /><BR /><BR />PCS Mon, 21 Aug 2006 11:11:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847398#M274334 spex 2006-08-21T11:11:07Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847399#M274335 If you have sudo installed I'd disable the account by putting a * in the password field in /etc/passwd, adding all the application users to an appusers group, and then modifying the sudoers file:<BR /><BR />%appusers localhost=/usr/bin/su - <APP_USER></APP_USER> Mon, 21 Aug 2006 11:18:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847399#M274335 Jonathan Fife 2006-08-21T11:18:24Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847400#M274336 sudo is teh choice.<BR /><BR />Allows you to capture the logging asd to who did the su to the account.<BR /><BR /> Mon, 21 Aug 2006 11:20:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847400#M274336 Rick Garland 2006-08-21T11:20:21Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847401#M274337 This has a hole in it but could be an option.<BR /><BR />In the profile of the su'd user check that the the number of processes using ps is greater than two. i.e. must have two shells running. If not do an exit.<BR /><BR />Now the user could change the .profile after su'ing so this is not a secure option.<BR /><BR />Setting the users shell to /usr/bin/false might work but typically you want a shell and the profile to be read when doing su - user.<BR /><BR />I have always looked for this option as well, if you find a secure solution make sure you repost.<BR /><BR /><BR />The only other choice so far would be to use sudo.<BR /><BR /> Mon, 21 Aug 2006 11:33:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847401#M274337 Tim Nelson 2006-08-21T11:33:01Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847402#M274338 Thank you guys for the quick responses. I was wondering if there is anything similar in HP-UX as Solaris /etc/udeny. In /etc/udeny you list the application userid and that will disable any body to directly to login but only able to su. Your suggestions are a little complex, if that is the only choice I might have to use it.<BR /><BR /><BR />Thank you all Mon, 21 Aug 2006 12:04:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847402#M274338 dgizaw 2006-08-21T12:04:06Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847403#M274339 Hello,<BR /><BR />As stated above the SShd2_config file has a deny user line. But what about the /etc/limilogins file. you may want to check and make an entry in that file also.<BR /><BR />Sp, Mon, 21 Aug 2006 12:30:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847403#M274339 Sp4admin 2006-08-21T12:30:34Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847404#M274340 Sp, <BR />The version of OpenSSH I have is 3.7 and SShd2_config does not exits. I checked ssh_config and sshd_config for deny user line and is not there. Can I put a line?<BR /><BR />Thanks Mon, 21 Aug 2006 14:00:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847404#M274340 dgizaw 2006-08-21T14:00:08Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847405#M274341 Shalom,<BR /><BR />This is simple.<BR /><BR />Users have no business having the password for the application user.<BR /><BR />Change it and don't tell the user.<BR /><BR />This is a policy issue, not an admin issue. If you disable the login, root won't be able to su -c username command to start the application server process.<BR /><BR />SEP Mon, 21 Aug 2006 14:03:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847405#M274341 Steven E. Protter 2006-08-21T14:03:59Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847406#M274342 SEP,<BR />If they do not know the password how can they su to the application user. Here is the example I want to do. <BR />application userid : asap<BR />username: kevin<BR /><BR />First Kevin should login as kevin and su to asap to get to the application. Right now a lot of people login as asap and want to know who that person is. If they try to login as asap to the system, the system should not let them login.<BR /><BR />Thanks Mon, 21 Aug 2006 15:02:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847406#M274342 dgizaw 2006-08-21T15:02:59Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847407#M274343 I think the ssh way is the best.<BR /><BR />OR ..<BR /><BR />In the .profile ,<BR /><BR />if [ `whoami` -eq "asap" ]<BR />then<BR /> exit 0<BR />fi<BR /><BR />Change the ownership of .profile to root ( can u change the home owner as root as well and then create all the child directories owned by the "asap" user ?).<BR /><BR />I think this will work, user's may have to use "su" instead of "su -" so that profile is not processed.<BR /><BR />Test it ...<BR /><BR /><BR />Kaps Mon, 21 Aug 2006 17:17:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847407#M274343 KapilRaj 2006-08-21T17:17:12Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847408#M274344 In HPUX 11.23 there is RBAC. Role Based Access Control.<BR /><BR />This will allow you to fine tune some of the access restrictions.<BR /><BR /> Tue, 22 Aug 2006 09:03:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847408#M274344 Rick Garland 2006-08-22T09:03:31Z https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847409#M274345 Thank you all for the response. I did the easier one to create a new .profile with exit 0 and tell the users to do as Kapil Raj<BR />suggested. It is working.<BR /><BR /><BR />Thanks Tue, 22 Aug 2006 17:53:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/logon-by-userid-instead-and-su-to-application/m-p/3847409#M274345 dgizaw 2006-08-22T17:53:49Z