topic Prevent direct Login in Operating System - Linux

Prevent direct Login

jpmc admin — Thu, 01 Sep 2005 14:32:06 GMT

Hi

We have the application ID's login directly to the systems. We want to prevent the application ID's ( eg : oracle) directly login to the system. Instead, the user has to login with their ID first and then do su - appID to the application .

How do we do this ?

Thanks in Adv for the help !

Rgds / JPMC

Re: Prevent direct Login

Rick Garland — Thu, 01 Sep 2005 15:23:07 GMT

I am currently working on such as well. Here is what I have found thus far...

In the /etc/passwd file, change the shell for the user account to /bin/false. Users can ftp and su to that account but not be able to login. (Have not tested yet)

Use the output from 'who am i' and compare this with a file you create called '/etc/nodirectlogin'

In the /etc/profile you have something similar;
WHO=`${who am i|awk '{print $1}'
grep -q "^$WHO:" /etc/nodirectlogin
if [ $? = 0 ]
then
echo "$WHO cannot login directly"
fi

The /etc/nodirectlogin file has;
oracle
sybase
etc...

In the second example, just test for a user name in the /etc/profile, depending on the result, allow access or not. This will not affect the ability to su -

Re: Prevent direct Login

Ivan Ferreira — Thu, 01 Sep 2005 15:26:59 GMT

You can use the pam_access module. Configure it in the /etc/pam.d/system-auth file.

Then edit the /etc/security/access.conf file and specify that the user is not allowed to logon locally.

-:oracle:LOCAL

Re: Prevent direct Login

Ivan Ferreira — Thu, 01 Sep 2005 16:00:23 GMT

I also though the /bin/nologin /bin/false shell for the user, but won't be able to use the "su -" (with the -).

Re: Prevent direct Login

Gopi Sekar — Fri, 02 Sep 2005 01:31:03 GMT

I just checked the man page of login program. Interestingly it checks /etc/usertty files for login restrictions, I believe you can configure it for users, groups wise.

check the man page of login

Hope this helps,
Gopi

Re: Prevent direct Login

Muthukumar_5 — Fri, 02 Sep 2005 05:56:17 GMT

--- /etc/profile ---

if [[ $USER = "oracle" ]]
then

echo "plz login with your own ID. Then do su to applicaiton login ID"
sleep 5
exit 1
fi

Put this. It will start to work.

hth.

Re: Prevent direct Login

Ivan Ferreira — Fri, 02 Sep 2005 08:21:29 GMT

The last script can be cancelled before the exit (withing the 5 seconds of sleep).

If you want to use that, use the stty to disable the interrupt/break keys.

Re: Prevent direct Login

Raj D. — Fri, 02 Sep 2005 09:37:51 GMT

Hi JPMC ,

You can install sudo , and its very good tool to restrict users and various permission.

You may look at this link :
http://www.courtesan.com

Cheers ,
Raj

Re: Prevent direct Login

Ranjith_5 — Fri, 02 Sep 2005 10:51:49 GMT

Hi,

Change the application ID password so that it contains # or @ . Now with a telnet session this ID wont be able to login directly. This is my experience with HP-UX so far I havent tested on linux.

Regards,
Syam

Re: Prevent direct Login

Ivan Ferreira — Fri, 02 Sep 2005 11:32:46 GMT

The above solution won't allow su to that user without any other user than root, because you must specify the password.

If you are going to use that solution, you should use sudo to enable users use su as root to applications users.

Re: Prevent direct Login

Florian Heigl (new acc) — Fri, 02 Sep 2005 11:55:13 GMT

If it's enough to prevent ssh logins, there's a really easy solution, even if it's 'the other way round':

There's an option for sshd_config called AllowedGroups (or something like that).

create a group 'interactive' and add all 'real' users to it, but not others like oracle,dba,bin,sys,lp and the likes.

Every user that is not contained in the group will be prohibited login after daemon restart.

Re: Prevent direct Login

Ranjith_5 — Fri, 02 Sep 2005 11:59:40 GMT

Hi ivan,

I think JPMC's need is to know who all are currently logged into the system. May be he doesnt mind to share the applID password with the users if this is his purpose.

Regards,
Syam

Re: Prevent direct Login

Florian Heigl (new acc) — Fri, 02 Sep 2005 12:09:05 GMT

Muthukumar,

You need to ensure to trap ^C and other commands, otherwise the oracle user will probably be logged in if someone hit's ^C, killing the sleep process.