HPE Community
Operating System - HP-UX
1833566 Members
3342 Online
110061 Solutions
New Discussion

diasbling a generic functional account from logging in directly

 
SOLVED
Go to solution
Paddy O'Connell
Frequent Advisor

‎03-01-2005 02:51 AM

‎03-01-2005 02:51 AM

diasbling a generic functional account from logging in directly

Hi everyone,

I'm looking for a little help with stopping a generic account logging into 1 of our UNIX servers.

I would like the users to login with their own account and then su to this account.

The account in question needs to have it's full permission other than logging in directly, because there's cron jobs and ftp jobs associated with this account

What I tried so far was adding the below to the /etc/profile, while this works for stopping direct logins it also stops su logins to this account as well which i don't want

uid=$(whoami)

if
[ "$uid" = cpsbatch ]
then
echo "Sorry user account $uid is prohibited from logging in directly to $HOSTNAME"
sleep 5
exit 0
fi

Thanks
Paddy
0 Kudos
Reply
6 REPLIES 6
Gordon Morrison
Trusted Contributor

‎03-01-2005 02:58 AM

‎03-01-2005 02:58 AM

Solution

Re: diasbling a generic functional account from logging in directly

Hi Paddy,
"whoami" returns just the username of the current shell.
If you use "who am i" it will return the original login name of the original login as the first feild on the line, but even after using su, it still returns the username you originally logged in as.
What does this button do?
Reply
RAC_1
Honored Contributor

‎03-01-2005 02:58 AM

‎03-01-2005 02:58 AM

Re: diasbling a generic functional account from logging in directly

Do you have HP ssh installed?? It has built in tcp wrappers. If not install tcp wrappers and prepare /etc/hosts.allow and /etc/hosts.deny files. In /etc/hosts.deny file put following.

telnetd : user_name_to_be_prohibited_from_direct_login

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Dani Seely
Valued Contributor

‎03-01-2005 03:00 AM

‎03-01-2005 03:00 AM

Re: diasbling a generic functional account from logging in directly

Hi Paddy,
Try changing the user's shell to /sbin/false. This will allow the user account to login in via ftp but not directly, and may work the same for what you are looking for.
Together We Stand!
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

‎03-01-2005 03:00 AM

‎03-01-2005 03:00 AM

Re: diasbling a generic functional account from logging in directly

uid=$(who am i|awk '{print $1}')
What does this button do?
0 Kudos
Reply
Paddy O'Connell
Frequent Advisor

‎03-01-2005 03:19 AM

‎03-01-2005 03:19 AM

Re: diasbling a generic functional account from logging in directly

Gordan thank you very much, that is what i was looking for, implemented in test and it works exactly the way i'd hope.

Thanks All for the other replies as well.

Kind regards
Paddy
0 Kudos
Reply
TwoProc
Honored Contributor

‎03-02-2005 12:54 AM

‎03-02-2005 12:54 AM

Re: diasbling a generic functional account from logging in directly

Paddy,

Don't forget to assign points too!
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.