HPE Community
Operating System - HP-UX
1832928 Members
2431 Online
110048 Solutions
New Discussion

Disable direct login of user from specific source

 
Famy
New Member

‎11-16-2009 09:17 AM

‎11-16-2009 09:17 AM

Disable direct login of user from specific source


I have a user "XYZ" on server prod.
There are applications running on prod as XYZ as owner.

I want to disable direct login as user "XYZ" on server prod.

Users should be able to do sudo to this user XYZ once they are logged into the server as their named user.

Now main requirement is direct login should be enable only from one another server "TEST" and not from any other servers or client machines.
0 Kudos
Reply
3 REPLIES 3
George Spencer_4
Frequent Advisor

‎11-16-2009 12:17 PM

‎11-16-2009 12:17 PM

Re: Disable direct login of user from specific source

We have similar requirements on our systems (or maybe I should say that our auditors have enforced similar requirements). We only permit administrative logins to be accessed via sudo; not directly. To achieve this you can either: lock the login, or change the encrypted password to an asterisk. Once the user has logged in on their own account, if they thay have been added to the sudoers file, then they can sudo to the administrative account.

Unfortunately for you, this blocks all logins of the administrative accounts from remote hosts.

You can however bypass this problem by using ssh with a public/private key.
0 Kudos
Reply
Famy
New Member

‎11-16-2009 01:36 PM

‎11-16-2009 01:36 PM

Re: Disable direct login of user from specific source

I would require to do telnet,ftp from the remote server "TEST" as XYZ user in PROD.

How can I do that ?

Public/Private key only will help for ssh/scp.

How can i do telnet and ftp too.
0 Kudos
Reply
D. Jackson_1
Honored Contributor

‎11-16-2009 03:00 PM

‎11-16-2009 03:00 PM

Re: Disable direct login of user from specific source

Check into the file /var/adm/inetd.sec.
You can do some IP control through there for telnet sessions and others.

on PROD
ftp deny *.*.*.*
telnet deny *.*.*.*

ftp allow
telnet allow

I would enforce all other users to use SSH and SFTP/SCP for access.

HTH
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.