HPE Community
Operating System - HP-UX
1838481 Members
2773 Online
110126 Solutions
New Discussion

disableing ALL user access trusted system

 
SOLVED
Go to solution
Scott Van Kalken
Esteemed Contributor

‎11-06-2001 02:55 PM

‎11-06-2001 02:55 PM

disableing ALL user access trusted system

Hi all,

I'm wondering what the best way is to disable ALL user logins to a trusted system.

I have a trusted system and would like to occasionally stop all users from logging in.

I know on an untrusted system it is possible just to log onto the console as root, lock the console and copy the password file out.

However, on a trusted system I suspect that this wont work and I'm not in the mood for a broken machine.

Any ideas?
0 Kudos
Reply
9 REPLIES 9
Craig Rants
Honored Contributor

‎11-06-2001 03:01 PM

‎11-06-2001 03:01 PM

Re: disableing ALL user access trusted system

If you are just wanting to copy the /etc/passwd file. I would...

As root from the console,
touch /etc/nologin
unconvert the system
cp /etc/passwd /etc/passwd.old
convert the system
rm /etc/nologin

One thing to know, the auditing files will be removed so if you want them ...

Good Luck,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Scott Van Kalken
Esteemed Contributor

‎11-06-2001 03:03 PM

‎11-06-2001 03:03 PM

Re: disableing ALL user access trusted system

Hmmmm...

I've thought of doing this, but the problem is when re-converting to a trusted system, I think it requires all users to change their passwords when logging in.

Is this correct?

0 Kudos
Reply
Craig Rants
Honored Contributor

‎11-06-2001 03:06 PM

‎11-06-2001 03:06 PM

Solution

Re: disableing ALL user access trusted system

I have done this before and as I recall, I didn't have any users call me with password problems, of course this was about a year ago...

Since it was already a trusted system, I think accounts should be ok, as opposed to a new conversion...

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Scott Van Kalken
Esteemed Contributor

‎11-06-2001 03:10 PM

‎11-06-2001 03:10 PM

Re: disableing ALL user access trusted system

cool

I'll give it a go on my test box now.

Why not I say!

I'll let you know how it goes.

Thanks

Scott.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎11-06-2001 03:16 PM

‎11-06-2001 03:16 PM

Re: disableing ALL user access trusted system

If you just want to prevent ALL users from logging in you can use /etc/nologin to prevent ALL users except root from logging in. I don't think it matters if the system is trusted or not.

Here is how to set it up so that /etc/nologin will work on 11.X systems. From TKB document KBRC00005800

You need to have HP-UX 11.0 and the latest cumulative login patch or HP-UX 11.11 which has this feature incorporated in the login command.

Patch required for HP-UX 11.0:
PHCO_24083 s700_800 11.00 login(1) cumulative patch

NOTE: As with all patches, please refer to the Patch Database for the most recent version of this patch.

Follow these steps to activate the nologin parameter:


1. Create the file /etc/default/security and add the nologin parameter. This file must be world readable and root writable.
# vi /etc/default/security

Add the following line and save the file:

NOLOGIN=1

# chown root /etc/default/security

# chmod 644 /etc/default/security

2. Then, create the file /etc/nologin, and add the message you would like your users to see, example:

# vi /etc/nologin

System maintenance is taking place, please login again after 4:00 PM.
Reply
Roger Baptiste
Honored Contributor

‎11-06-2001 03:16 PM

‎11-06-2001 03:16 PM

Re: disableing ALL user access trusted system

<>

use the modprpw command
to do this.

****
while read -r USER
do
/usr/lbin/modprpw -l -m alock=YES $USER
if [ $? -eq 0 ]
then
echo "$USER deactivated" >>deactivate.log
else
echo "'failed to deactivate $USER" >>deactivate.log
fi
done< userlist
****

Remember not to deactivate
root and system related accounts ;-)

To enable them replace
the modprpw command above with
/usr/lbin/modprpw -l -k $USER


-raj
Take it easy.
Reply
Patrick Wallek
Honored Contributor

‎11-06-2001 03:37 PM

‎11-06-2001 03:37 PM

Re: disableing ALL user access trusted system

Something I just thought about that I got burned on once.

If you are using the /etc/nologin functionality, and are NOT working from the console or have web console access, make sure that you temporarily move the file /etc/securetty (assuming the file contains the word console) so that root can login from anywhere and not just the console.

If you use nologin, and have /etc/securetty set and you log out of your terminal, you are going to have a hard time getting back in as root, unless you have console access.
0 Kudos
Reply
Scott Van Kalken
Esteemed Contributor

‎11-06-2001 04:00 PM

‎11-06-2001 04:00 PM

Re: disableing ALL user access trusted system

That's a very good point, but fortunately I do have lan console access.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-06-2001 06:20 PM

‎11-06-2001 06:20 PM

Re: disableing ALL user access trusted system

Unlike other flavors of Unix, /etc/nologin does not work at all on 10.20 and earlier, or with 11.0 and higher unless you have the latest security patches and enable the security file options.

You can emulate /etc/nologin in /etc/profile with something like this:

if [ -r /etc/nologin ]
then
if [ "$(/usr/bin/id -u)" = "0" ]
then
/usr/bin/banner "No user"
/usr/bin/banner "logins"
echo "\n\nSystem Maintenance underway.\n\n"
else
echo "\n\n\n\nNo logins allowed at this time.\n"
/usr/bin/cat $NOLOGIN
sleep 5
exit
fi
fi

Be sure to change /etc/csh.login too if your users run csh rather than POSIX shell or ksh.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.