HPE Community
Operating System - HP-UX
1833996 Members
2712 Online
110063 Solutions
New Discussion

Disable telnet/ssh login for certain user

 
SOLVED
Go to solution
Sajjad Ali_1
Occasional Advisor

‎03-04-2005 05:26 AM

‎03-04-2005 05:26 AM

Disable telnet/ssh login for certain user

Need urgent help!!!
Hi,
I have an application that runs under a regular unix ID 'prod1'. I want to disable direct login for 'prod1' via ssh or telnet. But I do want some users to be able to su to prod1 and do application maintainence tasks. How can I accomplish that? Also the above scnerio is possible, then where do I define which users are allowd to su to prod1.

If anyone can answer this quickly, I would greatly appreciate it.

Thanks,
Tony
0 Kudos
Reply
15 REPLIES 15
Steven E. Protter
Exalted Contributor

‎03-04-2005 05:38 AM

‎03-04-2005 05:38 AM

Re: Disable telnet/ssh login for certain user

Change the shell in /etc/passwd to /usr/bin/false

This will disable login completely.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
RAC_1
Honored Contributor

‎03-04-2005 05:41 AM

‎03-04-2005 05:41 AM

Re: Disable telnet/ssh login for certain user

Put some code in /etc/profile. Something as follows.

uid=$(id -u)
if [[ ${uid} = "uid_of_user" ]]
then
echo "No direct logins"
else
echo "giving login"
fi

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Sajjad Ali_1
Occasional Advisor

‎03-04-2005 06:38 AM

‎03-04-2005 06:38 AM

Re: Disable telnet/ssh login for certain user

changing to /usr/bin/false wouldn't let anyone su to that userid.

Anil, your suggestion will solve who can and cannot su to that username. Thanks.

However, how do I disable direct login of prod1, yet still allow certain user to su to prod1 and prod1 would still be able to run jobs/scripts. Any solution to this? Thanks.
0 Kudos
Reply
RAC_1
Honored Contributor

‎03-04-2005 07:02 AM

‎03-04-2005 07:02 AM

Re: Disable telnet/ssh login for certain user

sudo comes to my mind. Here is how you can do it. Put the code that I gave in /etc/profile. this would not allow direct login and su (this code will also su prod1, but not su - prod1, cause in second command /etc/profile gets executed)

So configure sudo for all those users with the commands that they need to run as prod1.

"user1" ALL=(prod1) /xxx/prod1_command1 /yyy/prod1_command2

Now you run these programs as follows.

sudo /xxx/prod1_command
In this case /xxx/prod1 command will run under prod1 by user "user1"

man pages of sudo and visudo


Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Sajjad Ali_1
Occasional Advisor

‎03-04-2005 07:48 AM

‎03-04-2005 07:48 AM

Re: Disable telnet/ssh login for certain user

Anil,

I have tried putting your code in the /etc/profile, but the user prod1 is still being allowed to login directly.

uid=$(id -u)
if [[ ${uid} = "109" ]]
then
echo "This id is not allowed to login directly"
else
echo "giving login"
#set enviroment.

.................
................. etc. etc.

fi


What am I doing wrong? Thanks.
0 Kudos
Reply
RAC_1
Honored Contributor

‎03-04-2005 07:58 AM

‎03-04-2005 07:58 AM

Re: Disable telnet/ssh login for certain user

Correction in code.

uid=$(id -u)
if [[ ${uid} -eq "109" ]]
then
echo "This id is not allowed to login
directly"
exit 1
else
echo "giving login"
fi

Did you check second post??
There is no substitute to HARDWORK
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎03-05-2005 02:45 AM

‎03-05-2005 02:45 AM

Re: Disable telnet/ssh login for certain user

Hi,

Do you have sudo installed on your Server.
With sudo you can define who's able to su to prod1.

Good Luck

Darrel
0 Kudos
Reply
Mark Nieuwboer
Esteemed Contributor

‎03-06-2005 07:23 PM

‎03-06-2005 07:23 PM

Re: Disable telnet/ssh login for certain user

Hi,

We have don something different.
We make a file /etc/not_loginable and in this file we put the application users.

Then in the /etc/profile we put the following code.
# custom code for denying generic account login
if logname > /dev/null 2>&1
then
LGNM=`logname`
if egrep "^${LGNM}$" /etc/not_loginable > /dev/null 2>&1
then
echo "\nDirect login not allowed for $LGNM\n"
sleep 2 # For display on ssh-login #
echo "\nNO remote login allowed for $LGNM (`date '+%D %T'`)\n" |
logger -p user.err -t NOT_LOGINABLE
exit 1
fi
fi

When you login under your own account you are able to su to the user.

grtz. Mark
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

‎03-06-2005 08:06 PM

‎03-06-2005 08:06 PM

Re: Disable telnet/ssh login for certain user

See this thread. I think it has the answer you want.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=825287
What does this button do?
0 Kudos
Reply
Sajjad Ali_1
Occasional Advisor

‎03-07-2005 10:06 AM

‎03-07-2005 10:06 AM

Re: Disable telnet/ssh login for certain user

Darrel,

Do you have an example of SUDO configuration on who can SU to that user?

Thanks.
0 Kudos
Reply
Sajjad Ali_1
Occasional Advisor

‎03-07-2005 10:09 AM

‎03-07-2005 10:09 AM

Re: Disable telnet/ssh login for certain user

Nieuwboer,

Does /etc/profile get executed after a valid username/passwd attempt? The problem I am running into is that people are trying to guess the password of the service account and keep locking it up. I am trying to find a solution where as soon as you type in the username, it will kick you out before a password prompt. I don't think that's possible, is it? Thanks.
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

‎03-07-2005 08:07 PM

‎03-07-2005 08:07 PM

Re: Disable telnet/ssh login for certain user

I don't think that's possible either. I think what you really need is a club to re-program your users with.
What does this button do?
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

‎03-08-2005 01:26 AM

‎03-08-2005 01:26 AM

Solution

Re: Disable telnet/ssh login for certain user

I have designed a club for your users' reprogramming needs. (It may need some tweaking for your environment)
This will catch direct login attempts for a user, but will allow "su -" to that user.
Add the following to the relevant user's .profile :

uid=$(who am i|awk '{print $1}')
if [[ $uid = username ]] ; then
who -u | grep username | mailx -s "Attempted intrusion" root@hostname
echo""
echo "###################"
echo "Logging in directly as username is prohibited!"
echo "This attempt has been logged."
echo "Repeated attempts will result in diciplinary action."
echo "Please login as yourself, then use su"
echo "###################"
echo ""
exit
fi

What does this button do?
Reply
Mark Nieuwboer
Esteemed Contributor

‎03-09-2005 09:54 PM

‎03-09-2005 09:54 PM

Re: Disable telnet/ssh login for certain user

Sajjad,

Don't forget to give pionts.
0 Kudos
Reply
Mark Nieuwboer
Esteemed Contributor

‎03-11-2005 01:12 AM

‎03-11-2005 01:12 AM

Re: Disable telnet/ssh login for certain user

Hi Sajjad,

Your right my sollution don't prevent that the can lock the user. It will prevent to log on as that user. etc/profile is executed with al attemps of a valid user. futher more you must have disipline your people or kick temp for trying to hack.
solution above is a good one.

grtz, Mark
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.