HPE Community
Operating System - HP-UX
1836617 Members
2112 Online
110102 Solutions
New Discussion

Re: Restricting User Access

 
Paul Czetwertynski
Occasional Contributor

‎02-22-2001 06:33 AM

‎02-22-2001 06:33 AM

Restricting User Access

Is it possible to restrict certain user accounts from being able to directly telnet into a server. In essence, to force users to SU to the account from a personal account (like what happens when you have a securetty file for root.). I don't want to filter by IP address, but by user name.

For my particular environment, I'm looking to limit our DBAs ability to login directly as "oracle" to the server. I want them to login with their username first, then SU.
0 Kudos
Reply
6 REPLIES 6
unixdaddy
Trusted Contributor

‎02-22-2001 07:07 AM

‎02-22-2001 07:07 AM

Re: Restricting User Access

Although the OS does not provide this capability directly (there is nothing
similar to /etc/securetty for root), adding the following statements to
/etc/profile or /etc/csh.login should prevent a certain user from
login but allow su - username.

Expand on the "if" statement if there are multiple accounts.


For Bourne and POSIX shells, add the following to /etc/profile:

name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
exit
fi
#end

For C shell, add the following to /etc/csh.login:

set name=`logname`
if ( $name == username ) then
echo $name not allowed to login...only su
exit
endif
#end

0 Kudos
Reply
Dan Hetzel
Honored Contributor

‎02-22-2001 07:36 AM

‎02-22-2001 07:36 AM

Re: Restricting User Access

Darren, Paul,

DBAs usually need the full oracle environment, so they will use 'su -' to become oracle user.

In that case (su -) the /etc/profile and $HOME/.profile are sourced and checking for the oracle user name in one of those files will not help.

AN alternative would be to prevent all login by replacing the password field in /etc/passwd with a string that is a guaranteed no-match, i.e. an asterisk.
In that case, 'su - oracle' can only be issued by root as it won't prompt for a password.
To circumvent this, you could use 'sudo' and allow members of the dba group to issue 'su - oracle'. It won't ask for the oracle user password.

SUDO can be downloaded from the HP Software Archive and Porting Center of from http://www.courtesan.com


Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Mark Wyckoff
Occasional Advisor

‎02-22-2001 08:11 AM

‎02-22-2001 08:11 AM

Re: Restricting User Access

Paul,
Dan's suggestion is right on. I am utilizing the sudo program to allow certain users access to 'application owner' IDs on our systems (i.e. oracle), and it works like a champ. It also gives you additional information about who is using certain IDs, how often, etc. through log files and e-mail to root.

Mark
0 Kudos
Reply
unixdaddy
Trusted Contributor

‎02-22-2001 08:32 AM

‎02-22-2001 08:32 AM

Re: Restricting User Access

I'm confused (Isn't hard). I thought the requirement was to stop users from login into oracle directly. The /etc/profile (with amended code)will check that the user attempting to log in isn't oracle. If they therefore log in directly the test will succeed and exit out. If they su then the login name is different and therefore the test will fail allowing login. Is that correct or am I talking out of my hat?
0 Kudos
Reply
Dan Hetzel
Honored Contributor

‎02-22-2001 09:01 AM

‎02-22-2001 09:01 AM

Re: Restricting User Access

Hi Darren,

Don't worry, you're not talking 'out of your hat' (maybe was I ?)
I should have read your answer more carefully. You deserve the 10 points ;-)

Best regards,

Dan


Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
james mcintyre_1
Occasional Advisor

‎02-23-2001 12:29 PM

‎02-23-2001 12:29 PM

Re: Restricting User Access

the utility tcpwrapper will allow you to control who can login and from where. it will also control ftp if your intersted.


jim mc.....
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.