topic Re: Restrict initial logins to accounts other than root? in Operating System - HP-UX

Restrict initial logins to accounts other than root?

Carl Houseman — Thu, 30 Nov 2006 12:08:43 GMT

Is there any way to do this? We have several accounts that are used for running an application and would prefer that users not initially login to those accounts. Instead, they should use their personal login and then su to the application account. The purpose is to have some audit trail in syslog of who was operating under those accounts.

I know how to do this for CDE, but what about telnet and sshd?

thanks all...

Re: Restrict initial logins to accounts other than root?

Coolmar — Thu, 30 Nov 2006 12:49:17 GMT

Hi Carl,

This thread should be able to help you:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=123216&admit=-682735245+1164908912885+28353475

Re: Restrict initial logins to accounts other than root?

Carl Houseman — Thu, 30 Nov 2006 13:11:10 GMT

A link earlier in that thread doesn't work.

Later on in the thread it suggests changes to .profile but there's a hitch I forgot to mention. Users need to be able to

su - name

to get to the restricted acount. So they will execute the .profile from su. Need another way.

Re: Restrict initial logins to accounts other than root?

Ivan Ferreira — Thu, 30 Nov 2006 13:14:48 GMT

This is the thread you need:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1023896

The example is for oracle but you can modify it to use with any account.

Re: Restrict initial logins to accounts other than root?

James R. Ferguson — Thu, 30 Nov 2006 13:18:00 GMT

Hi Carl:

Executing 'su - logname' will cause the '.profile' for the 'logname' to be executed. [Posix shell assumed, here.]

As the last piece of the '.profile':

# exec /your_application_code

Regards!

...JRF...

Re: Restrict initial logins to accounts other than root?

Coolmar — Thu, 30 Nov 2006 13:19:29 GMT

How about any of these suggestions:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1048593

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1070664

Re: Restrict initial logins to accounts other than root?

Carl Houseman — Thu, 30 Nov 2006 13:46:33 GMT

Ivan's reference thread had everything I need to fix up both sshd and telnet (with .profile changes). Thanks Ivan!

And in case that thread disappears, the solutions I've implemented are:

sshd_config:
DenyUsers username

.profile:
if [ `who -m|grep 'acctname'|wc -l` -gt 0 ]
then
exit
fi

with .profile owned by root and restricted permissions to prevent user changes.

Re: Restrict initial logins to accounts other than root?

James R. Ferguson — Thu, 30 Nov 2006 14:02:01 GMT

Hi (again) Carl:

Hmmm...0-points for attempting to help you when your question/problem description assumes someone is Miss Cleo...

...JRF...

Re: Restrict initial logins to accounts other than root?

Carl Houseman — Thu, 30 Nov 2006 14:09:58 GMT

Apparently others in this topic were more in touch with Miss Cleo than you, James.

Either that or Miss Cleo wasn't really needed.

Re: Restrict initial logins to accounts other than root?

James R. Ferguson — Thu, 30 Nov 2006 14:16:38 GMT

Hi:

> Apparently others in this topic were more in touch with Miss Cleo than you, James. Either that or Miss Cleo wasn't really needed.

Yeah, and I'll venture to say that you probably wouldn't say "thank you" to someone who even held a door open for you.

Don't worry, I got your point (no pun intended).

...JRF...