HPE Community
Operating System - HP-UX
1833695 Members
3720 Online
110062 Solutions
New Discussion

Re: Restrict initial logins to accounts other than root?

 
SOLVED
Go to solution
Carl Houseman
Super Advisor

‎11-30-2006 04:08 AM

‎11-30-2006 04:08 AM

Restrict initial logins to accounts other than root?

Is there any way to do this? We have several accounts that are used for running an application and would prefer that users not initially login to those accounts. Instead, they should use their personal login and then su to the application account. The purpose is to have some audit trail in syslog of who was operating under those accounts.

I know how to do this for CDE, but what about telnet and sshd?

thanks all...
0 Kudos
9 REPLIES 9
Coolmar
Esteemed Contributor

‎11-30-2006 04:49 AM

‎11-30-2006 04:49 AM

Re: Restrict initial logins to accounts other than root?

Hi Carl,

This thread should be able to help you:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=123216&admit=-682735245+1164908912885+28353475
0 Kudos
Carl Houseman
Super Advisor

‎11-30-2006 05:11 AM

‎11-30-2006 05:11 AM

Re: Restrict initial logins to accounts other than root?

A link earlier in that thread doesn't work.

Later on in the thread it suggests changes to .profile but there's a hitch I forgot to mention. Users need to be able to

su - name

to get to the restricted acount. So they will execute the .profile from su. Need another way.
0 Kudos
Ivan Ferreira
Honored Contributor

‎11-30-2006 05:14 AM

‎11-30-2006 05:14 AM

Solution

Re: Restrict initial logins to accounts other than root?

This is the thread you need:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1023896


The example is for oracle but you can modify it to use with any account.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎11-30-2006 05:18 AM

‎11-30-2006 05:18 AM

Re: Restrict initial logins to accounts other than root?

Hi Carl:

Executing 'su - logname' will cause the '.profile' for the 'logname' to be executed. [Posix shell assumed, here.]

As the last piece of the '.profile':

# exec /your_application_code

Regards!

...JRF...
0 Kudos
Coolmar
Esteemed Contributor

‎11-30-2006 05:19 AM

‎11-30-2006 05:19 AM

Re: Restrict initial logins to accounts other than root?

How about any of these suggestions:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1048593

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1070664

0 Kudos
Carl Houseman
Super Advisor

‎11-30-2006 05:46 AM

‎11-30-2006 05:46 AM

Re: Restrict initial logins to accounts other than root?

Ivan's reference thread had everything I need to fix up both sshd and telnet (with .profile changes). Thanks Ivan!

And in case that thread disappears, the solutions I've implemented are:

sshd_config:
DenyUsers username

.profile:
if [ `who -m|grep 'acctname'|wc -l` -gt 0 ]
then
exit
fi

with .profile owned by root and restricted permissions to prevent user changes.
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎11-30-2006 06:02 AM

‎11-30-2006 06:02 AM

Re: Restrict initial logins to accounts other than root?

Hi (again) Carl:

Hmmm...0-points for attempting to help you when your question/problem description assumes someone is Miss Cleo...

...JRF...
0 Kudos
Carl Houseman
Super Advisor

‎11-30-2006 06:09 AM

‎11-30-2006 06:09 AM

Re: Restrict initial logins to accounts other than root?

Apparently others in this topic were more in touch with Miss Cleo than you, James.

Either that or Miss Cleo wasn't really needed.
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎11-30-2006 06:16 AM

‎11-30-2006 06:16 AM

Re: Restrict initial logins to accounts other than root?

Hi:

> Apparently others in this topic were more in touch with Miss Cleo than you, James. Either that or Miss Cleo wasn't really needed.

Yeah, and I'll venture to say that you probably wouldn't say "thank you" to someone who even held a door open for you.

Don't worry, I got your point (no pun intended).

...JRF...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.