HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

User Login

 
SOLVED
Go to solution
G V R Shankar
Valued Contributor

User Login

hi,

Following is my requirement.

I have a unix user which controls the applicaiton. No one should login to the server using this account using ssh or telnet or any other application.

They shud login using their individual account and then they should be able to do su - apps_account.

Is it possible, if so, please explain.

Cheers,
Ravi
11 REPLIES
Robert-Jan Goossens_1
Honored Contributor

Re: User Login

Hi Ravi,

Just lock the password of the user.

# passwd -l user

Regards,
Robert-Jan
G V R Shankar
Valued Contributor

Re: User Login

$ su - test
Your password was changed by root
Password:
Account is disabled - see Account Administrator
su: Sorry

Doesn't meet my requirement.

Ravi.
vinod_25
Valued Contributor

Re: User Login

Hi Ravi,

Keep the shell column of the user as /bin/false in /etc/passwd - this will meet ur requirement.

Vinod
G V R Shankar
Valued Contributor

Re: User Login

hi Vinod,

If i keep the shell /bin/false, it will not allow me to login over ssh or even su - test.

Ravi.
Robert-Jan Goossens_1
Honored Contributor

Re: User Login

Ravi,

I changed the passwd field in the (my case) /etc/shadow file to LOCKED for a test user. Now you can use su - user to switch user, but you can not login directly with this user account.

gorj:LOCKED:14361::::::

Regards,
Robert-Jan
G V R Shankar
Valued Contributor

Re: User Login

Hi,

There are 2 challeges here. When we change it to LOCKED, it actually changes the password field and whenever user types the password, it doesn't match the encrypted pasword, becoz, we have removed the encrypted password and put a new word LOCKED.

So they user will never login to the server over telnet or ssh. instead of chnaging the encrypted portion, I can just change the password of the apps users and keep it with me ;)

As you said, I can do su - test, but I can do it as root. I cannot switch to the user as a normal user. Again the password will not work.

Cheers,

Ravi.
Autocross.US
Trusted Contributor

Re: User Login

Do you have sudo in your environment? If so, you could set the password to something random and then setup a sudo profile for the users to be able to sudo to the account w/o a password. Here's an example sudoers for this:

User_Alias PROD = user1, user2, user3
PROD ALL = NOPASSWD: /usr/bin/su [-] apps_acct

The user would login with their account and then run: sudo su - apps_acct

If configured properly, the users won't be prompted for the apps_acct password.

I drive way too fast to worry about calories.
G V R Shankar
Valued Contributor

Re: User Login

Hi,

Using sudo is the last thing in my mind. Is there any way to accomplish my requirement.

Ravi.
OldSchool
Honored Contributor

Re: User Login

"Using sudo is the last thing in my mind. Is there any way to accomplish my requirement."

ok, locking the account means you can't "su -" as a normal user, as the password has to work.

changing shell to "false" won't work as you need a shell.

however, sudo will let "normal" users "su -" to the locked account using *their* password, because they'd be running the "su" as root.

Maybe sudo need to move up on your list?
Autocross.US
Trusted Contributor
Solution

Re: User Login

You could do one of the following:

- in the apps_account users .profile, create a script check to see if the account was logged into directly or by su (who am i). The script would exit if logged into directly. I've done something like this in Solaris.

- Another method would be to deny the user access to each application. See the 'DenyUsers' directive for ssh and ftpusers for ftp. I'm sure most apps can be configured to deny a specific user.

I drive way too fast to worry about calories.
G V R Shankar
Valued Contributor

Re: User Login

Implimented the solution provided by Autocross.US.

Thank You.