HPE Community
Operating System - HP-UX
1833758 Members
2519 Online
110063 Solutions
New Discussion

Turn off Direct Login via /etc/profile for privliged users

 
SOLVED
Go to solution
KPS
Super Advisor

‎09-07-2005 01:44 AM

‎09-07-2005 01:44 AM

Turn off Direct Login via /etc/profile for privliged users

,

Just trying to confirm if there's a way to disable direct logins for privliged users like root and also Application users through the use of /etc/profile. If so could you share this with me?

Thanks
-KPS
0 Kudos
7 REPLIES 7
Pete Randall
Outstanding Contributor

‎09-07-2005 01:48 AM

‎09-07-2005 01:48 AM

Re: Turn off Direct Login via /etc/profile for privliged users

Ken,

Code something like this should handle it:

if [ `id -u` -eq 0 ]
then
....echo "direct login as root not allowed"
....exit 1
fi


Pete

Pete
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎09-07-2005 01:54 AM

‎09-07-2005 01:54 AM

Re: Turn off Direct Login via /etc/profile for privliged users

Hi Ken:

If the 'etc/securetty' exists and you place the value "console" in it, you can restrict root logins to that device.

The '/etc/defaults/security' file also has some useful optiions for limiting access to root. Have a look at its SU_ROOT_GROUP for instance.

See the manpages for 'login(1)' and 'security(4)' for more information.

Regards!

...JRF...
0 Kudos
Bill Hassell
Honored Contributor

‎09-07-2005 02:05 AM

‎09-07-2005 02:05 AM

Solution

Re: Turn off Direct Login via /etc/profile for privliged users

Since all normal shell logins go through /etc/profile, there are a number of controls you can put into /etc/profile. As mentioned, you can limit root so it is not allowed a direct login except through the console, and indirectly using su (or better yet, sudo). For the rest of the users, you might create a file of disallowed users such as /etc/disallowed.users with each user login on a separate line such as:

billh
jamesf
kens

Then near the top of /etc/profile (ALWAYS after the line: trap "" 1 2 3) add something like this:

for NOTALLOWED in $(cat /etc/disallowed)
do
if [ $LOGNAME = $NOTALLOWED ]
then
echo "\n --- login not allowed ---\"
exit
fi

And that's it. Now anytime billh, jamesf or kens try to login, they are kicked out immediately.


Bill Hassell, sysadmin
0 Kudos
KPS
Super Advisor

‎09-07-2005 02:06 AM

‎09-07-2005 02:06 AM

Re: Turn off Direct Login via /etc/profile for privliged users

Thanks everyone. Those are all great responses and options.

I do appreciate your help...

KPS
0 Kudos
KPS
Super Advisor

‎09-07-2005 02:07 AM

‎09-07-2005 02:07 AM

Re: Turn off Direct Login via /etc/profile for privliged users

.
0 Kudos
Steve Steel
Honored Contributor

‎09-07-2005 02:11 AM

‎09-07-2005 02:11 AM

Re: Turn off Direct Login via /etc/profile for privliged users

Hi

/etc/securetty List of valid ttys for root login is good or



In /etc/profile

if [ $name = checkname ]
then
echo $name not allowed to login...only su
exit
fi
#end

Note: checkname should be replaced with the name of the user to whom direct login access is denied.


Could also do

for checkname in $(echo "list of logins to exclude")
do
if [ "$LOGNAME" = "$checkname" ]
then
echo $LOGNAME can only be accessed via su - command
exit
fi
done
~


Steve Steel

If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Bob Ferro
Regular Advisor

‎09-12-2007 12:58 AM

‎09-12-2007 12:58 AM

Re: Turn off Direct Login via /etc/profile for privliged users

I tried the script to not allow direct login and it worked fine except when I tried to su - myuserid, it didn't let me in. Is there a way to distinguish between a direct login and a su in /etc/profile?

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.