HPE Community
Operating System - HP-UX
1826351 Members
3724 Online
109692 Solutions
New Discussion

logon by userid instead and su to application

 
SOLVED
Go to solution
dgizaw
Frequent Advisor

‎08-21-2006 04:03 AM

‎08-21-2006 04:03 AM

logon by userid instead and su to application

Hi every body,

How do I disable user from logging directly by application userid? I want the user to login as him/her self and su to application. If somthing happens I will be able to trace who logged in at that time.

Thanks
Do not undermine a chalnge
0 Kudos
Reply
12 REPLIES 12
spex
Honored Contributor

‎08-21-2006 04:11 AM

‎08-21-2006 04:11 AM

Re: logon by userid instead and su to application

Hi,

Take a look at this thread:

http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=1048593


PCS
Reply
Jonathan Fife
Honored Contributor

‎08-21-2006 04:18 AM

‎08-21-2006 04:18 AM

Solution

Re: logon by userid instead and su to application

If you have sudo installed I'd disable the account by putting a * in the password field in /etc/passwd, adding all the application users to an appusers group, and then modifying the sudoers file:

%appusers localhost=/usr/bin/su -
Decay is inherent in all compounded things. Strive on with diligence
Reply
Rick Garland
Honored Contributor

‎08-21-2006 04:20 AM

‎08-21-2006 04:20 AM

Re: logon by userid instead and su to application

sudo is teh choice.

Allows you to capture the logging asd to who did the su to the account.

Reply
Tim Nelson
Honored Contributor

‎08-21-2006 04:33 AM

‎08-21-2006 04:33 AM

Re: logon by userid instead and su to application

This has a hole in it but could be an option.

In the profile of the su'd user check that the the number of processes using ps is greater than two. i.e. must have two shells running. If not do an exit.

Now the user could change the .profile after su'ing so this is not a secure option.

Setting the users shell to /usr/bin/false might work but typically you want a shell and the profile to be read when doing su - user.

I have always looked for this option as well, if you find a secure solution make sure you repost.


The only other choice so far would be to use sudo.

Reply
dgizaw
Frequent Advisor

‎08-21-2006 05:04 AM

‎08-21-2006 05:04 AM

Re: logon by userid instead and su to application

Thank you guys for the quick responses. I was wondering if there is anything similar in HP-UX as Solaris /etc/udeny. In /etc/udeny you list the application userid and that will disable any body to directly to login but only able to su. Your suggestions are a little complex, if that is the only choice I might have to use it.


Thank you all
Do not undermine a chalnge
0 Kudos
Reply
Sp4admin
Trusted Contributor

‎08-21-2006 05:30 AM

‎08-21-2006 05:30 AM

Re: logon by userid instead and su to application

Hello,

As stated above the SShd2_config file has a deny user line. But what about the /etc/limilogins file. you may want to check and make an entry in that file also.

Sp,
Reply
dgizaw
Frequent Advisor

‎08-21-2006 07:00 AM

‎08-21-2006 07:00 AM

Re: logon by userid instead and su to application

Sp,
The version of OpenSSH I have is 3.7 and SShd2_config does not exits. I checked ssh_config and sshd_config for deny user line and is not there. Can I put a line?

Thanks
Do not undermine a chalnge
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-21-2006 07:03 AM

‎08-21-2006 07:03 AM

Re: logon by userid instead and su to application

Shalom,

This is simple.

Users have no business having the password for the application user.

Change it and don't tell the user.

This is a policy issue, not an admin issue. If you disable the login, root won't be able to su -c username command to start the application server process.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
dgizaw
Frequent Advisor

‎08-21-2006 08:02 AM

‎08-21-2006 08:02 AM

Re: logon by userid instead and su to application

SEP,
If they do not know the password how can they su to the application user. Here is the example I want to do.
application userid : asap
username: kevin

First Kevin should login as kevin and su to asap to get to the application. Right now a lot of people login as asap and want to know who that person is. If they try to login as asap to the system, the system should not let them login.

Thanks
Do not undermine a chalnge
0 Kudos
Reply
KapilRaj
Honored Contributor

‎08-21-2006 10:17 AM

‎08-21-2006 10:17 AM

Re: logon by userid instead and su to application

I think the ssh way is the best.

OR ..

In the .profile ,

if [ `whoami` -eq "asap" ]
then
exit 0
fi

Change the ownership of .profile to root ( can u change the home owner as root as well and then create all the child directories owned by the "asap" user ?).

I think this will work, user's may have to use "su" instead of "su -" so that profile is not processed.

Test it ...


Kaps
Nothing is impossible
Reply
Rick Garland
Honored Contributor

‎08-22-2006 02:03 AM

‎08-22-2006 02:03 AM

Re: logon by userid instead and su to application

In HPUX 11.23 there is RBAC. Role Based Access Control.

This will allow you to fine tune some of the access restrictions.

0 Kudos
Reply
dgizaw
Frequent Advisor

‎08-22-2006 10:53 AM

‎08-22-2006 10:53 AM

Re: logon by userid instead and su to application

Thank you all for the response. I did the easier one to create a new .profile with exit 0 and tell the users to do as Kapil Raj
suggested. It is working.


Thanks
Do not undermine a chalnge
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.