Re: How to remove login capability ?

Speedware · ‎09-26-2005

Hello,

I do a remove login capability (using telnet or rlogin) for a user but I can su do that user.

For example, I created generic user speedwre but I don't want people to login directly as speedwre. They must first logon as there user then do a su to speedwre.

I am using a hpux 11.23. I hope its clear.

Thanks.

Thanks.

Rick Garland · ‎09-26-2005

You can put the following login in the /etc/profile to prevent the direct login

if [ $LOGNAME == "speedware" ]
then
echo "Please login as yourself and the su to the speedware account"
sleep 3
exit 1
fi

Geoff Wild · ‎09-26-2005

I thi k you need to go to a Trusted System....

You could try this in /etc/profile:

##
Restricted="sybase oracle dba"
for User in $Restricted
do
if [ $User = $LOGNAME ] ; then
if [ "`who -a | grep $$ | awk '{print $8}'`" ]; then
echo Sorry, you must first login with YOUR userid, then type \"su - $LOGNAME\"
sleep 8
exit
fi
fi
done

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

MANOJ SRIVASTAVA · ‎09-26-2005

Hi Speedware

What we do is to restrict diorect logins of SA's and DBA's , we add the following in /etc/profile

loginid=`who am i | awk '{print $1}'`

echo $loginid
if [ $loginid = oracle ]
then
exit
fi

echo $loginid
if [ $loginid = root ]
then
exit
fi
and that way the user don directly log in , and su collects the log.

Manoj Srivastava

baiju_3 · ‎09-26-2005

Instead of setting this for individual user's .profile what we do is to execute

if [ -f /etc/no_login_allowed.sh ] ; then
. /etc/no_login_allowed.sh
fi

script from /etc/profile .We add all the users for which direct log in is not allowed in /etc/no_login.allowed .

the /etc/no_login_allowed.sh executes logname command and greps the logname from /etc/no_login.allowed .If it finds then exit .

By this method you can reduce your hassle to set for each user .

Thanks,
BL.

Good things Just Got better (Plz,not stolen from advertisement -:) )

Steven E. Protter · ‎09-26-2005

Note that no matter what solution you use beside /usr/bin/false as the shell, its theoretically possible for the user to break out of the shell and gain command line access.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Rick Garland · ‎09-26-2005

SEP has a point.

Add the following traps to the logic

if [ $LOGNAME == "speedware" ]
then
trap 1 2 3 15
echo "Please login as yourself and the su to the speedware account"
sleep 3
exit 1
fi

Speedware · ‎09-26-2005

Cool,
Thanks for the quick response.

I like the solutions. But I was hoping something built-in into HP-UX like a extra parameter into the /etc/passwd file.

I am going to implement it.

I don't really mind if they can break the shell as long as I know who they are on system.

Nick Wickens · ‎09-26-2005

It might be worth explaining exactly what your requirement is for wanting to do this as there may be other options you can use.

I seem to recall that sudo can be configured to run processes as users other than just root and if its a specific process that needs to run as that user then more investigation into the configuration of sudo may be worthwhile.

Hats ? We don't need no stinkin' hats !!

Speedware · ‎09-26-2005

I don't want people to use generic user to get on the system. That's basically what I want.

Nick Wickens · ‎09-26-2005

Then sudo may be of some use as you can allow them to run a new shell as if they were the generic user without the need to know the generic users password.

I have done something similar in the past for a generic informix user as you can wrap scripts around the routine to report on which user is using the id and sudo will maintain its own logs.

Do you have sudo installed - Its available from here if you don't have it.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/

Hats ? We don't need no stinkin' hats !!

Speedware · ‎09-26-2005

I will take a look at it.

Thanks.

Arunvijai_4 · ‎09-26-2005

Sudo is part of HP Internet Express as well, It is compiled with more options, You can download from

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Jeff Lightner_1 · ‎09-27-2005

Just change the shell portion of the /etc/passwd entry to /bin/false. That will prevent su and any other login from being succesful. This is because on invocation it will execute /bin/false.

Also due to this it will never read /etc/profile, /etc/login, .profile or .login. Solutions saying to update those risk people being able to break out if they hit ctrl-C quickly enough.

Ratzie · ‎09-27-2005

Just a thought, but if you change to ssh login only, you can specify in the sshd_config file
DenyUsers user1 user2 whoever

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: How to remove login capability ?

How to remove login capability ?