topic Re: User Login in Operating System - HP-UX

User Login

G V R Shankar — Fri, 24 Apr 2009 11:57:41 GMT

hi,

Following is my requirement.

I have a unix user which controls the applicaiton. No one should login to the server using this account using ssh or telnet or any other application.

They shud login using their individual account and then they should be able to do su - apps_account.

Is it possible, if so, please explain.

Cheers,
Ravi

Re: User Login

Robert-Jan Goossens_1 — Fri, 24 Apr 2009 12:03:36 GMT

Hi Ravi,

Just lock the password of the user.

# passwd -l user

Regards,
Robert-Jan

Re: User Login

G V R Shankar — Fri, 24 Apr 2009 12:13:52 GMT

$ su - test
Your password was changed by root
Password:
Account is disabled - see Account Administrator
su: Sorry

Doesn't meet my requirement.

Ravi.

Re: User Login

vinod_25 — Fri, 24 Apr 2009 12:21:31 GMT

Hi Ravi,

Keep the shell column of the user as /bin/false in /etc/passwd - this will meet ur requirement.

Vinod

Re: User Login

G V R Shankar — Mon, 27 Apr 2009 09:45:04 GMT

hi Vinod,

If i keep the shell /bin/false, it will not allow me to login over ssh or even su - test.

Ravi.

Re: User Login

Robert-Jan Goossens_1 — Mon, 27 Apr 2009 10:27:22 GMT

Ravi,

I changed the passwd field in the (my case) /etc/shadow file to LOCKED for a test user. Now you can use su - user to switch user, but you can not login directly with this user account.

gorj:LOCKED:14361::::::

Regards,
Robert-Jan

Re: User Login

G V R Shankar — Mon, 27 Apr 2009 12:38:14 GMT

Hi,

There are 2 challeges here. When we change it to LOCKED, it actually changes the password field and whenever user types the password, it doesn't match the encrypted pasword, becoz, we have removed the encrypted password and put a new word LOCKED.

So they user will never login to the server over telnet or ssh. instead of chnaging the encrypted portion, I can just change the password of the apps users and keep it with me ;)

As you said, I can do su - test, but I can do it as root. I cannot switch to the user as a normal user. Again the password will not work.

Cheers,

Ravi.

Re: User Login

Autocross.US — Mon, 27 Apr 2009 12:47:54 GMT

Do you have sudo in your environment? If so, you could set the password to something random and then setup a sudo profile for the users to be able to sudo to the account w/o a password. Here's an example sudoers for this:

User_Alias PROD = user1, user2, user3
PROD ALL = NOPASSWD: /usr/bin/su [-] apps_acct

The user would login with their account and then run: sudo su - apps_acct

If configured properly, the users won't be prompted for the apps_acct password.

Re: User Login

G V R Shankar — Mon, 27 Apr 2009 13:27:34 GMT

Hi,

Using sudo is the last thing in my mind. Is there any way to accomplish my requirement.

Ravi.

Re: User Login

OldSchool — Mon, 27 Apr 2009 13:38:58 GMT

"Using sudo is the last thing in my mind. Is there any way to accomplish my requirement."

ok, locking the account means you can't "su -" as a normal user, as the password has to work.

changing shell to "false" won't work as you need a shell.

however, sudo will let "normal" users "su -" to the locked account using *their* password, because they'd be running the "su" as root.

Maybe sudo need to move up on your list?

Re: User Login

Autocross.US — Mon, 27 Apr 2009 15:00:20 GMT

You could do one of the following:

- in the apps_account users .profile, create a script check to see if the account was logged into directly or by su (who am i). The script would exit if logged into directly. I've done something like this in Solaris.

- Another method would be to deny the user access to each application. See the 'DenyUsers' directive for ssh and ftpusers for ftp. I'm sure most apps can be configured to deny a specific user.

Re: User Login

G V R Shankar — Wed, 29 Apr 2009 15:18:15 GMT

Implimented the solution provided by Autocross.US.

Thank You.