HPE Community
Operating System - HP-UX
1752587 Members
3844 Online
108788 Solutions
New Discussion юеВ

Re: SECURE LOGIN

 
Chris Chaoman
Occasional Contributor

тАО09-03-2007 11:21 PM

тАО09-03-2007 11:21 PM

SECURE LOGIN

How do I stop users logging in directly as oracle or any other power users? The same way that /etc/securetty works for root.

Chris C
0 Kudos
Reply
8 REPLIES 8
Wim Rombauts
Honored Contributor

тАО09-03-2007 11:31 PM

тАО09-03-2007 11:31 PM

Re: SECURE LOGIN

Enter some direct text in the password field. That will prevent users from being able to enter a correct password.
You can allways become oracle executing "su" as root without needing a password.

This setup is possibly not that quickly to do. We configured our software-accounts like that from the beginnen and use .rhosts and .shosts to configure who is allowed to ogin as who. If you have scripts or other programs that depend on the oracle account password, you should modify those scripts first.
0 Kudos
Reply
Robert Salter
Respected Contributor

тАО09-04-2007 03:05 AM

тАО09-04-2007 03:05 AM

Re: SECURE LOGIN

Chris,

You could do something like this: create a file, say .idnams and put in the IDs you do not want to have direct logins to, i.e. "oracle". Then in /etc/profile add;
grep $LOGNAME /var/adm/.idnams
if [ "$?" = "0" ]
then
echo "You must login with your own ID and then 'su' to $LOGNAME"
sleep 5
exit
fi


Robert

Time to smoke and joke
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО09-04-2007 04:53 AM

тАО09-04-2007 04:53 AM

Re: SECURE LOGIN

>Robert: grep $LOGNAME /var/adm/.idnams
if [ "$?" = "0" ]; then

You should clean this up so the grep doesn't get echoed for everyone:
grep -q $LOGNAME /var/adm/.idnams
if [ $? -eq 0 ]; then
0 Kudos
Reply
Robert Salter
Respected Contributor

тАО09-04-2007 05:57 AM

тАО09-04-2007 05:57 AM

Re: SECURE LOGIN

Thanks Dennis, your way is cleaner.
Time to smoke and joke
0 Kudos
Reply
VK2COT
Honored Contributor

тАО09-04-2007 08:44 AM

тАО09-04-2007 08:44 AM

Re: SECURE LOGIN

Hello,

I implemented a simple solution for Oracle
accounts for a Fortune-100 company recently.
They wanted a free (open-source) and portable
solution that worked for HP-UX, Linux and
SunOS (Solaris).

In fact, my Knowledge Brief is just about to
be published for HP staff.

Short summary for ITRC:

a) Disable all standard but obsolete
protocols (telnet, rlogin, rsh, ...).
I do this on all servesr anyway :)

b) Disable CDE, X-windows logins
(not many use it nowdays).

c) Set DenyUsers in sshd_config:

DenyUsers oracle

That way, user oracle cannot log in
via SSH.

d) Install SUDO and SUDOSH (either compile
them or get packages). For HP-UX,
I could not find ported version of SUDOSH
so I had to build it myself.

e) Set up sudoers file. For example:

User_Alias DBA=dba1,dba2
DBA ALL=(oracle) /usr/local/bin/sudosh

f) Then, as user dba1 or dba2:

sudo -u oracle /usr/local/bin/sudosh

The beauty of SUDOSH is that it also
keeps a log of ALL commands that
are executed. Admin can even do this:

sudosh-replay

Excellent for those which are
obsessed with SOX-compliance.

Cheers,

VK2COT

PS. I also tested various solutions
(but they are all different for various
flavours of Unix) based on PAM, and Role
Based Access Control.

Finally, companies that do not
have budgetary constraints would
definitely like PowerBroker (commercial
product).
VK2COT - Dusan Baljevic
0 Kudos
Reply
Robert Fritz
Regular Advisor

тАО09-05-2007 05:22 AM

тАО09-05-2007 05:22 AM

Re: SECURE LOGIN

I'd also recommend some free tools that give you better granularity of control than sudo/powerbroker:

Select Access for IdMI (role-based access), and HP-UX Bastille (for lockdown and security-configuration reporting).

Also, I'm a little nervous about relying on Robert/Dennis' approach. I suspect (though haven't tested it), that an interrupt or shell escape could get a user past that check in the profile.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО09-05-2007 11:39 AM

тАО09-05-2007 11:39 AM

Re: SECURE LOGIN

>Robert: that an interrupt or shell escape could get a user past that check in the profile.

I would think that would just exit the shell.
0 Kudos
Reply
Heironimus
Honored Contributor

тАО09-06-2007 03:53 AM

тАО09-06-2007 03:53 AM

Re: SECURE LOGIN

Actually it's probably better to use "if grep -q foo ; then" intead of grep followed by a comparison with $?. But either way, it's still wrong for what you're trying to do.

/etc/profile is only called for a login shell. If you specify a remote command you won't invoke a login shell. "ssh -t user@host /usr/bin/sh" will give you an interactive shell without running /etc/profile, unless you've taken special steps to prevent it. Most of the time it'll be easier to find a better way than it will be to force a call to /etc/profile.

I've demonstrated this several times for people. It usually leads to a surprised look followed by a long explanation of how remote shells work and how shells decide what login scripts to run.



For the most part Dusan's advice looks correct to me, but I do have a couple comments on it.

I would recommend EAS over sudosh, if you can still find it anywhere. It fixed a lot of the shortcomings of sudosh and added support for logging to a network server. Unfortunately, I think some company bought the rights from the original author and quickly took down the source so they could sell a new version as part of their product instead....

I would also recommend using AllowGroups and DenyGroups instead of AllowUsers and DenyUsers in sshd_config. Using a group makes the access control part of account management, listing individual users in sshd_config makes access control part of sshd administration.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.