HPE Community
Operating System - HP-UX
1836648 Members
1947 Online
110102 Solutions
New Discussion

Disable Logins

 
SOLVED
Go to solution
Brian Bientz
Advisor

‎03-28-2001 07:07 AM

‎03-28-2001 07:07 AM

Disable Logins

For security reasons, we would like to disable remote logins to certain user accounts (in particular, root and oracle). We want to force people to login using there specific user account and su as necessary.

How can this be accomplished? We are running HP UX 11.00.
0 Kudos
Reply
13 REPLIES 13
Vincenzo Restuccia
Honored Contributor

‎03-28-2001 07:14 AM

‎03-28-2001 07:14 AM

Re: Disable Logins

For root edit /etc/securetty:
CONSOLE=/dev/console.
0 Kudos
Reply
Edward Sedgemore
Trusted Contributor

‎03-28-2001 07:17 AM

‎03-28-2001 07:17 AM

Re: Disable Logins


Create the file /etc/securetty and insert the word console into it. This means root accounts can only use the console to log direct into the server (which means physical machine room access) otherwise they must use their own personal accounts then su - root
0 Kudos
Reply
Rob Smith
Respected Contributor

‎03-28-2001 07:18 AM

‎03-28-2001 07:18 AM

Re: Disable Logins

In the /etc/securetty file put the work console. That will cause root logons to fail unless they are attempted from the system console. I believe you can do the same thing for the oracle account with that file but I am not 100% positive as to what the syntax would be.

Hope this helps.
Rob
Learn the rules so you can break them properly.
0 Kudos
Reply
Steffi Jones_1
Esteemed Contributor

‎03-28-2001 07:21 AM

‎03-28-2001 07:21 AM

Re: Disable Logins

Hello,

Root access can be denied to any port on the system by the use of the /etc/securetty file. If not present (the default), anyone who knows the root password can login as root regardless of their location (modem, DTC port, tty port, network login).

Steffi Jones


0 Kudos
Reply
Brian Bientz
Advisor

‎03-28-2001 07:38 AM

‎03-28-2001 07:38 AM

Re: Disable Logins

Thanks for the replies. We certainly seem to have the problem solved for root user. Does this same logic apply to other user accounts as well? That is, how can I disable logins to the oracle account?
0 Kudos
Reply
Vincenzo Restuccia
Honored Contributor

‎03-28-2001 08:57 AM

‎03-28-2001 08:57 AM

Re: Disable Logins

You can see /etc/pam_user.conf and man pam_user.conf.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎03-28-2001 09:22 AM

‎03-28-2001 09:22 AM

Re: Disable Logins

What we have done for oracle is to set the oracle password to something like a *, and then set up sudo to allow the users that need to get to oracle to do that via sudo.

'sudo su - oracle' for example.

You can get sudo at the HP-UX porting center.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎03-28-2001 09:23 AM

‎03-28-2001 09:23 AM

Solution

Re: Disable Logins

Hi,

After some thinking, I thought of an easy solution to your problem, and that is to make use of the differences in the commands "who am i" and "whoami". In an su situation, "who am i" will report the user you su from while "whoami" will report the user you su to.

In this way, depending on the login shell you are using, you can modify .profile/.cshrc/.login of your Oracle account accordingly to suit your needs.

For example, add the following to the beginning of your oracle's .profile:
=============================================
trap "" 1 2 3
if [ "who am i|awk '{print $1}' != "whoami" ]
then
# this implies an su, thus proceed on
# with the rest of your command executions.
else
# this user must have logged on direct
# without su'ing thus logout this user
logout
fi
trap 1 2 3
=============================================

To prevent your user from modifying his own .profile to workaround it, remember to change the ownership of oracle's .profile to root and chmod 755 the .profile.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
Reply
Patrick Wallek
Honored Contributor

‎03-28-2001 09:26 AM

‎03-28-2001 09:26 AM

Re: Disable Logins

Here is the link to sudo:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/
0 Kudos
Reply
Joseph C. Denman
Honored Contributor

‎03-28-2001 09:51 AM

‎03-28-2001 09:51 AM

Re: Disable Logins

If the users know the oracle passwd anyway, why not just make them part of the dba group and not give them the oracle passwd. Being part of the dba group should give them permissions to do what they need to do? Just a thought...


...jcd...
If I had only read the instructions first??
0 Kudos
Reply
Jacques Simon
Advisor

‎03-29-2001 12:27 AM

‎03-29-2001 12:27 AM

Re: Disable Logins

Why not just check `tty` in the users profile?!
if test -t 0
then
if [ ! `tty` = "/dev/console" ]
then
...
exit
fi
fi
0 Kudos
Reply
Greg OBarr
Regular Advisor

‎03-29-2001 05:44 AM

‎03-29-2001 05:44 AM

Re: Disable Logins


You might want to check out ssh (Secure Shell)...very versatile and secure.

http://www.ssh.com

Features listed on web site:

Protects all passwords and data.
Full replacement for telnet, rlogin, rsh, rcp, and ftp.
Fully integrated secure file transfer and file copying. Really cool graphical user interface on Windows.
Automatic authentication of users, no passwords sent in cleartext to prevent the stealing of passwords.
Multiple strong authentication methods that prevent such security threats as spoofing identity.
Authentication of both ends of connection, the server and the client are authenticated to prevent identity spoofing, trojan horses, etc.
Automatic authentication using agents to enable strong authentication to multiple systems with a single sign-on.
Transparent and automatic tunneling of X11 sessions.
Tunneling of arbitrary TCP/IP-based applications, such as e-mail.
Encryption and compression of data for security and speed.
Multiple built-in authentication methods, including passwords, public key, and host-based authentication.
Multiple ciphers for encryption, including e.g. 3DES, Blowfish and the AES candidate TWOFISH.
0 Kudos
Reply
Joseph A Benaiah_1
Regular Advisor

‎04-08-2001 04:52 PM

‎04-08-2001 04:52 PM

Re: Disable Logins

Brian,

In addition to the use of /etc/securetty and checks in the /etc/profile, I would also comment out the exec service in /etc/inetd.conf. Otherwise a user could enter the following command in from a PC running Exceed or another X server:

rexec -l root "xterm -display :0.0"

This would load up an xterm as root on the host bypassing /etc/profile and roots .profile. Ofcourse, the person running this would have to provide the correct root password.

Cheers,

Joseph.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.