Solved: User Login

G V R Shankar · ‎04-24-2009

hi,

Following is my requirement.

I have a unix user which controls the applicaiton. No one should login to the server using this account using ssh or telnet or any other application.

They shud login using their individual account and then they should be able to do su - apps_account.

Is it possible, if so, please explain.

Cheers,
Ravi

Robert-Jan Goossens_1 · ‎04-24-2009

Hi Ravi,

Just lock the password of the user.

# passwd -l user

Regards,
Robert-Jan

G V R Shankar · ‎04-24-2009

$ su - test
Your password was changed by root
Password:
Account is disabled - see Account Administrator
su: Sorry

Doesn't meet my requirement.

Ravi.

vinod_25 · ‎04-24-2009

Hi Ravi,

Keep the shell column of the user as /bin/false in /etc/passwd - this will meet ur requirement.

Vinod

G V R Shankar · ‎04-27-2009

hi Vinod,

If i keep the shell /bin/false, it will not allow me to login over ssh or even su - test.

Ravi.

Robert-Jan Goossens_1 · ‎04-27-2009

Ravi,

I changed the passwd field in the (my case) /etc/shadow file to LOCKED for a test user. Now you can use su - user to switch user, but you can not login directly with this user account.

gorj:LOCKED:14361::::::

Regards,
Robert-Jan

G V R Shankar · ‎04-27-2009

Hi,

There are 2 challeges here. When we change it to LOCKED, it actually changes the password field and whenever user types the password, it doesn't match the encrypted pasword, becoz, we have removed the encrypted password and put a new word LOCKED.

So they user will never login to the server over telnet or ssh. instead of chnaging the encrypted portion, I can just change the password of the apps users and keep it with me ;)

As you said, I can do su - test, but I can do it as root. I cannot switch to the user as a normal user. Again the password will not work.

Cheers,

Ravi.

Autocross.US · ‎04-27-2009

Do you have sudo in your environment? If so, you could set the password to something random and then setup a sudo profile for the users to be able to sudo to the account w/o a password. Here's an example sudoers for this:

User_Alias PROD = user1, user2, user3
PROD ALL = NOPASSWD: /usr/bin/su [-] apps_acct

The user would login with their account and then run: sudo su - apps_acct

If configured properly, the users won't be prompted for the apps_acct password.

I drive way too fast to worry about calories.

G V R Shankar · ‎04-27-2009

Hi,

Using sudo is the last thing in my mind. Is there any way to accomplish my requirement.

Ravi.

OldSchool · ‎04-27-2009

"Using sudo is the last thing in my mind. Is there any way to accomplish my requirement."

ok, locking the account means you can't "su -" as a normal user, as the password has to work.

changing shell to "false" won't work as you need a shell.

however, sudo will let "normal" users "su -" to the locked account using *their* password, because they'd be running the "su" as root.

Maybe sudo need to move up on your list?

Autocross.US · ‎04-27-2009

You could do one of the following:

- in the apps_account users .profile, create a script check to see if the account was logged into directly or by su (who am i). The script would exit if logged into directly. I've done something like this in Solaris.

- Another method would be to deny the user access to each application. See the 'DenyUsers' directive for ssh and ftpusers for ftp. I'm sure most apps can be configured to deny a specific user.

I drive way too fast to worry about calories.

G V R Shankar · ‎04-29-2009

Implimented the solution provided by Autocross.US.

Thank You.

User Login

User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Re: User Login

Hewlett Packard Enterprise International