https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980352#M419710 I very quick easy question I hope.<BR /><BR />On a HP-UX 11.11 system that uses a tcb database is it possible to stop certain users from logging in interactively but allowing su access to them.<BR /><BR />I know I could do something with their .profile, but I was wondering if it is possible to do this with a setting in the /etc/passwd file or in the tcb database?<BR /> Tue, 23 May 2006 08:54:57 GMT Steve Blackwell 2006-05-23T08:54:57Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980352#M419710 I very quick easy question I hope.<BR /><BR />On a HP-UX 11.11 system that uses a tcb database is it possible to stop certain users from logging in interactively but allowing su access to them.<BR /><BR />I know I could do something with their .profile, but I was wondering if it is possible to do this with a setting in the /etc/passwd file or in the tcb database?<BR /> Tue, 23 May 2006 08:54:57 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980352#M419710 Steve Blackwell 2006-05-23T08:54:57Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980353#M419711 Hi,<BR />you can try to put a * simbol in the password field in the /etc/passwd file.<BR /><BR />Enrico Tue, 23 May 2006 09:05:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980353#M419711 Enrico P. 2006-05-23T09:05:14Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980354#M419712 Hi,<BR />you can try to put a * simbol in the password field in the /etc/passwd file.<BR /><BR />Remember to save you passwd file first<BR /><BR />Enrico Tue, 23 May 2006 09:05:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980354#M419712 Enrico P. 2006-05-23T09:05:49Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980355#M419713 Because the system is trusted the * in the /etc/passwd file already exists.<BR /><BR />Is there a setting for the tcb database?<BR /><BR />Steve Tue, 23 May 2006 09:12:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980355#M419713 Steve Blackwell 2006-05-23T09:12:09Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980356#M419714 As a trusted system, you will want the /tcb/files/auth directory area. From this point the subdirectory would match the 1st letter of the account name.<BR />Example, for the root account, /tcb/files/auth/r (root starts with the letter 'r' so proceed down this subdirectory)<BR /><BR />Put a star in the passwd field in here and you will lock the account. <BR /><BR />HPUX does not really have Role Based Access Control (RBAC) until version 11.23.<BR /><BR />There are numerous previous posts concerning this subject.<BR /><BR /> Tue, 23 May 2006 09:30:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980356#M419714 Rick Garland 2006-05-23T09:30:56Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980357#M419715 In rethinking, the better option would be to use the modprpw command to lock the accounts. No need to fool around in the tcb database by yourself. Let the command do it for you. Tue, 23 May 2006 10:50:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980357#M419715 Rick Garland 2006-05-23T10:50:33Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980358#M419716 However, you should note that if you lock the account either by entering an impossible passwd hash (e.g. '*') or by explicitly locking the account via passwd -l or modprpw the only a superuser will be able to su to that account; all other users will be prompted for a password or told that the account is locked. Tue, 23 May 2006 10:56:26 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980358#M419716 A. Clay Stephenson 2006-05-23T10:56:26Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980359#M419717 Lock the password as noted above and use<BR />the sudo package to su to the account. <BR />The password prompted for by sudo is the account executing the su command not the<BR />target account. su will be done as system<BR />and will not require an active password.<BR /> Tue, 23 May 2006 11:04:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980359#M419717 Bill Thorsteinson 2006-05-23T11:04:50Z https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980360#M419718 You have all confirmed my thoughts.<BR /><BR />Cheers<BR /><BR />Steve Thu, 25 May 2006 03:42:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-certain-user-login-but-allow-su/m-p/4980360#M419718 Steve Blackwell 2006-05-25T03:42:36Z