HPE Community
Operating System - HP-UX
1832801 Members
2860 Online
110045 Solutions
New Discussion

easy way to restrict direct logins

 
SOLVED
Go to solution
Scott Van Kalken
Esteemed Contributor

‎01-10-2002 05:52 PM

‎01-10-2002 05:52 PM

easy way to restrict direct logins

Hey all,

I'm looking for a creative solution here.

We have a bunch of oracle "support" people who come along and tie up their horses and wear cowboy hats.

I would like to STOP these clowns from logging in directly as the oracle user.

Now, I've thought about some things like changing the profile of the oracle user, and a few other things.

I know I can change the profile of the oracle user to be owned by root with read permission for the prod support people.

This will work, they shouldn't be able to change it.

What I would like to know, is what other creative solutions have people used?

Thanks in advance.

Scott.
0 Kudos
Reply
4 REPLIES 4
Scott Van Kalken
Esteemed Contributor

‎01-10-2002 05:55 PM

‎01-10-2002 05:55 PM

Re: easy way to restrict direct logins

oops

I should clarify.

When I say "change the profile to root owned and readable by the prod support people... I mean, it has a message and then logs you out (well, this MAY cause havoc with other things as well).

IDEAS?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎01-10-2002 06:09 PM

‎01-10-2002 06:09 PM

Re: easy way to restrict direct logins

Hi Scott,

Take a look at this thread,

http://us-support.external.hp.com/cki/bin/doc.pl/sid=fba12e7b184c1f0586/screen=ckiDisplayDocument?docId=200000051899524

Hope this is what you are looking for.

Regds
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎01-10-2002 06:13 PM

‎01-10-2002 06:13 PM

Solution

Re: easy way to restrict direct logins

Scott,

It is a good idea to disable generic users like oracle, mqm etc.,. Users should login themselves and then su to these accounts. The way I implement this is by modifying the /etc/profile and /etc/csh.login files. Keep this small segment in your /etc/profile file.

Create a file called /var/adm/.generic and keep all the generic users in it. Now check if the user is there in .generic file and exit if so.

grep $LOGNAME /var/adm/.generic > /dev/null
if [ $? = 0 ]
then
clear
echo "You are supposed to login as yourself and then su to $LOGNAME"
sleep 5
exit
fi

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Patrick Wallek
Honored Contributor

‎01-10-2002 06:28 PM

‎01-10-2002 06:28 PM

Re: easy way to restrict direct logins

Here's what we did with the oracle id and a few others.

We put a * in the passwd field in /etc/passwd for the oracle user. This way the only way you can log in as oracle is to do a 'su - oracle' as root. Obviously we don't want the users to have the root passwd, so we installed sudo (sudo information here: http://www.courtesan.com/sudo/index.html ), and set up a script that was essentially:

#!/sbin/sh
sudo su - oracle
We then set the users up with the appropriate access in the sudoers file. So now when the user wanted to log in as oracle, they would execute the script, be prompted for their password by sudo, and they would be in.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.