Security
cancel
Showing results for 
Search instead for 
Did you mean: 

Prevent remote logins to a non-root account

SOLVED
Go to solution
Victor Semaska_3
Esteemed Contributor

Prevent remote logins to a non-root account

Greetings,

Management wants to us prevent remote logins to certain non-root accounts similar to the way you can prevent remote logins to root via /etc/securettys.

The reason for this is that we have certain accounts, like oracle, for production. Management wants an audit trail as to who logged into that account. The idea is the DBAs would first log into their personal account and then su over to the oracle account. We have audit enabled so we have these events logged.

So, is there a way to prevent remote logins to certain non-root accounts in Tru64?

Thanks,
Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
14 REPLIES
Stiwi Wondrusch
Trusted Contributor

Re: Prevent remote logins to a non-root account

Hi Victor

I was searching for exactly the same some time ago. Our oracle accounts have ksh as login shell. So I placed the following in /etc/profile:

whoisit="$(who -m | awk '{print $1}')"
if [ "$TERM" != "dtterm" ]
then
if [ "${whoisit}" = "oracle" ]
then
echo ! its not possible to directly login with oracle user account login with your personal login an use: su - oracle
exit 1
fi
fi

I know that this is more like a workaround then a solution.
I'm also interested in real solutions.

rgds Stiwi
Victor Semaska_3
Esteemed Contributor

Re: Prevent remote logins to a non-root account

Stiwi,

Thanks for the reply. I tried it but it doesn't seem to work the same for me. I forgot to mention I'm running V5.1B PK5.

$ echo $TERM
vt300
$ su - oracle
Password:
$ echo $TERM
vt300

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Ivan Ferreira
Honored Contributor

Re: Prevent remote logins to a non-root account

Hi victor. I don't understand your test. You said that you want to prevent remote "direct" logins but in your rest you do "su to oracle". And that should be sucessfull?? Instead of echoing the TERM variable is better to use the "id" command. Was the su sucessfull?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Hein van den Heuvel
Honored Contributor

Re: Prevent remote logins to a non-root account

Victor,

Looks like you woudl jsut need to add a test for an other terminal type like:
if [ "$TERM" != "dtterm" ] && [ "$TERM" != "vt300" ]

However... this does not look too secure.
And the who + cut is not too effective: use a shell buildin?

Also, for code in /etc/profile I would prune as quickly as possible. The test for TERM will succeed often right? The test for oracle will fail often I guess? If so, switch them around. It is also easier to read that way:
If oracle then blah blah further tests blah blah

fwiw,
Hein.
Victor Semaska_3
Esteemed Contributor

Re: Prevent remote logins to a non-root account

Ivan,

Maybe I don't understand Stiwi's code then. Here's the part I was trying to test:

if [ "$TERM" != "dtterm" ]
then
if [ "${whoisit}" = "oracle" ]
then

The way I'm reading it, if you su to another account then TERM should be set to "dtterm". My test was showing that TERM stayed at "vt300" when I su'd to oracle.

I looked at the manpage for 'id' and I don't understand how it would help.

The approach I'm looking into now is following the ppid's backwards to the 1st process (pid = 0).

If the username stays the same or root for all processes then it's a remote login so log out.

If the username changes to something other than the current username or root somwhere along the list of processes then it is su'd so allow the login to continue.

I'm writing a script to do this and so far it looks good.

Vic

There are 10 kinds of people, one that understands binary and one that doesn't.
Stiwi Wondrusch
Trusted Contributor
Solution

Re: Prevent remote logins to a non-root account

Hi Victor

This is the core of it and should work:

whoisit="$(who -m | awk '{print $1}')"
if [ "${whoisit}" = "oracle" ]
then
echo "login not possible"
exit 1
fi

What happens when you login remote as oracle and you have this in your /etc/profile ?
Is your oracle-login-shell ksh?

rgds Stiwi
Hein van den Heuvel
Honored Contributor

Re: Prevent remote logins to a non-root account

Ah, elementary scripting. Steve's code does not set $TERM, but tests for it NOT to have a specified value "dtterm".

If it is not that, then it proceeds to test the username which it snarfed 'the hard way' from the who command through awk.

Check man sh (a long read!) for the tests

Check man who and and whoami for some details on username vs id usage.

You are making good progress by dislaying the values to test on first. The you carefully look at the various values based on the path taken to get there (direct login, su -, ... ) and code up the desired actions accordingly.

Good luck,
Hein.

Victor Semaska_3
Esteemed Contributor

Re: Prevent remote logins to a non-root account

Stiwi,

I get it now. The 'who' command returns the username that logged in, not the current username. So, when the DBA 'su - oracle' the 'who' utility will return the DBA's username and not oracle.

I don't see any need to check TERM as in your orginal reply so I'm leaving that out.

Thanks,
Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Stiwi Wondrusch
Trusted Contributor

Re: Prevent remote logins to a non-root account

Hi all


1. This part:
if [ "$TERM" != "dtterm" ]
was for my own convenience. With this part its not possible to log in from remote but you can log in at the graphic System Console (e.g. to install Oracle)

2. I absolutely agree that this is not very safe. I was able to break this script sometimes by pressing Ctrl-C during login. This is the reason why Im still looking for the real Tru64 solution.

When I logged in at the graphic System Console
Stiwi Wondrusch
Trusted Contributor

Re: Prevent remote logins to a non-root account

1. omit last line of last post
2. omit this post
3. rgds
Victor Semaska_3
Esteemed Contributor

Re: Prevent remote logins to a non-root account

Everyone,

Thanks for your input on this.

I see the security problem with /etc/profile. I put a 'sleep 5' before the 'trap "" 2 3' and was able to ctrl/c out every time.

So I tried this approach. I wrote a script called /usr/local/sbin/chksu.k which has in it:
#!/bin/ksh

whoisit="$(who -m | awk '{print $1}')"
if [ "${whoisit}" = "oracle" ]
then
echo "direct login not allowed"
exit 1
fi
ksh

I added the following line to /etc/shells:
/usr/local/sbin/chksu.k

I ran dxaccounts and made /usr/local/sbin/chksu.k the shell for the account.

It seems to work. If I insert a 'sleep 5' in chksu.k and I ctrl/c while the script sleeps it terminates the session. I can't prevent the check.

Anybody see a problem with this approach?

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Aco Blazeski
Regular Advisor

Re: Prevent remote logins to a non-root account

Hi,

I would use secure shell (SSH) for remote login: in /etc/ssh2/sshd2_config there is DenyUsers directive.

So you should have something like:

DenyUsers oracle


regards,
Victor Semaska_3
Esteemed Contributor

Re: Prevent remote logins to a non-root account

Aco,

Thanks but some of the servers still require that telnet be allowed.

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Orjan Petersson
Frequent Advisor

Re: Prevent remote logins to a non-root account

Victor,

Regarding your script:

whoisit="$(who -m | awk '{print $1}')"
if [ "${whoisit}" = "oracle" ]
then
echo "direct login not allowed"
exit 1
fi
ksh

One potential problem with this script is that ksh is not invoked as a login shell. (See the invocation section in the ksh man page for an explanation of what that means).