HPE Community
Operating System - HP-UX
1832831 Members
3218 Online
110047 Solutions
New Discussion

Re: Restrict Direct Login

 
SOLVED
Go to solution
Global Server Operation
Frequent Advisor

‎03-29-2006 11:45 AM

‎03-29-2006 11:45 AM

Restrict Direct Login

Is there a way to configure ssh to disable remote login access for a non-root user (a DBA), so the user is required to login with an individual account and su to the DBA ID?

OS is 11.i.
0 Kudos
Reply
7 REPLIES 7
Richard Allen
Frequent Advisor

‎03-29-2006 12:24 PM

‎03-29-2006 12:24 PM

Solution

Re: Restrict Direct Login

man sshd on my 11.11 system has:

Regardless of the authentication type, the account is checked to
ensure that it is accessible. An account is not accessible if it is
locked, listed in DenyUsers or its group is listed in DenyGroups .

Also, cant you just replace the password field in /etc/passwd (assuming you are not using shadow passwords or trusted mode) with a * for that DBA user thus forcing all users to log in as them selves and then using su ?
Reply
Rajeev Shukla
Honored Contributor

‎03-29-2006 12:36 PM

‎03-29-2006 12:36 PM

Re: Restrict Direct Login

I dont see a way. You cant restrict a user to not login through ssh unless you make the shell as nologin but in your case you cant do that as its DBA administrator login.

The Only solution in my mind for your problem is by hiding the password of DBA with you, so no one can login and when then want to su to DBA account let them use sudo to do that.
0 Kudos
Reply
Prashant Zanwar_4
Respected Contributor

‎03-29-2006 01:09 PM

‎03-29-2006 01:09 PM

Re: Restrict Direct Login

It is possible by not giving the password to such accounts and keep accounts locked..
Only sudo to account will be allowed this way..
Configuring sudoers is better way.. I dont know a way through ssh..

Hope it helps
Thanks
Prashant
"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
Patrice Le Guyader
Respected Contributor

‎03-29-2006 04:37 PM

‎03-29-2006 04:37 PM

Re: Restrict Direct Login

Demat,

Under the authentication section in the sshd_config file add a
line to deny users like this:

-----------------------------------------
# Authentication:

#LoginGraceTime 600
PermitRootLogin no
DenyUsers titi toto tutu tata <----
#StrictModes yes
-------------------------------------

You can also restrict users at the group level but note that this does not
stop anyone from logging in as themselves and SU'ing to the user that is not
allowed in,( assuming they know the password).

$ man sshd_config
[snip]
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. `*' and `'? can be used as wildcards
in the patterns. Only user names are valid; a numerical user ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.

Hope this helps
Pat
Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Reply
Global Server Operation
Frequent Advisor

‎03-29-2006 10:57 PM

‎03-29-2006 10:57 PM

Re: Restrict Direct Login

Thanks. I will give it a try.
0 Kudos
Reply
Alzhy
Honored Contributor

‎03-30-2006 06:14 AM

‎03-30-2006 06:14 AM

Re: Restrict Direct Login

Or if you want to restrict what logins can ssh login:

AllowUsers larry,curly,moe

If you've a need to restrict SSH direct login and restrict root login to the console and follow /etc/securetty. OpenSSH 4.2p1 (or the latest HP Secure Shell) now finally plugs this hole. Simply add:

EnforceSecureTTY yes


With this, root will no longer be able to ssh direct - BUT will still be able to do "ssh server some-command".

Hakuna Matata.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎03-30-2006 06:34 AM

‎03-30-2006 06:34 AM

Re: Restrict Direct Login

Depending on what version of 11.i you have, look into RBAC (Role Based Access Control)

Provides greater granularity for these types of controls.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.