1834126 Members
2294 Online
110064 Solutions
New Discussion

create no login user ID

 
SOLVED
Go to solution
Carl Cloutier
Advisor

create no login user ID

Hi,
Is there a way to create or effect a no login user on an HPUX 11 non-trusted machine? What I mean is a user that can not login but can be su'd to. That means simply altering the user's password is not an acceptable solution.
Thanks,
Carl

When in doubt, gas it!
5 REPLIES 5
Paula J Frazer-Campbell
Honored Contributor

Re: create no login user ID

Carl

Create the user and put * in the password field.

I think that should do what you require


Paula
If you can spell SysAdmin then you is one - anon
Michael Steele_2
Honored Contributor
Solution

Re: create no login user ID

Any ip address or set of ip addresses can be blocked or denied via inetd.sec or one of the various other ip filtering applications. And this would prevent any telnet or rlogin connection to any and all.

Allow only specific statically assigned ips or subnets and protect them.

Else, what ever is defined in the shell parameter as well as the password parameters will block or deny any access to the account.
Support Fatherhood - Stop Family Law
john korterman
Honored Contributor

Re: create no login user ID

Hi,
in ksh you can make use of the LOGNAME variable: the name with which the user originalley logs in is assigned to that variable. You can then test on the original logname in the .profile for the user to which you will only allow to su.
Example of the .profile for the user flipflop:

#!/usr/bin/sh
if [ "$LOGNAME" = "flipflop" ]
then
exit
fi

which will immediately logout the user flipflop when he logs in directly, but allow a su - flipflop.

regards,
John K.
it would be nice if you always got a second chance
Paul Sperry
Honored Contributor

Re: create no login user ID

for the user qwerty the /etc/passwd entry would be

qwerty:*:102:300:Qwerty Person:/home/qwerty:/bin/ksh

No login
Michael Steele_2
Honored Contributor

Re: create no login user ID

Any ip address or set of ip addresses can be blocked or denied via inetd.sec or one of the various other ip filtering applications. And this would prevent any telnet or rlogin connection to any and all.

Allow only specific statically assigned ips or subnets and deny all others.

Whatever is defined in the account shell parameter as well as the password parameter will be seen during the login process regardless of connection type. Whether from network or serial login.
Support Fatherhood - Stop Family Law