HPE Community
Operating System - HP-UX
1833412 Members
3318 Online
110052 Solutions
New Discussion

User Login

 
SOLVED
Go to solution
G V R Shankar
Valued Contributor

‎04-24-2009 04:57 AM

‎04-24-2009 04:57 AM

User Login

hi,

Following is my requirement.

I have a unix user which controls the applicaiton. No one should login to the server using this account using ssh or telnet or any other application.

They shud login using their individual account and then they should be able to do su - apps_account.

Is it possible, if so, please explain.

Cheers,
Ravi
0 Kudos
11 REPLIES 11
Robert-Jan Goossens_1
Honored Contributor

‎04-24-2009 05:03 AM

‎04-24-2009 05:03 AM

Re: User Login

Hi Ravi,

Just lock the password of the user.

# passwd -l user

Regards,
Robert-Jan
0 Kudos
G V R Shankar
Valued Contributor

‎04-24-2009 05:13 AM

‎04-24-2009 05:13 AM

Re: User Login

$ su - test
Your password was changed by root
Password:
Account is disabled - see Account Administrator
su: Sorry

Doesn't meet my requirement.

Ravi.
0 Kudos
vinod_25
Valued Contributor

‎04-24-2009 05:21 AM

‎04-24-2009 05:21 AM

Re: User Login

Hi Ravi,

Keep the shell column of the user as /bin/false in /etc/passwd - this will meet ur requirement.

Vinod
0 Kudos
G V R Shankar
Valued Contributor

‎04-27-2009 02:45 AM

‎04-27-2009 02:45 AM

Re: User Login

hi Vinod,

If i keep the shell /bin/false, it will not allow me to login over ssh or even su - test.

Ravi.
0 Kudos
Robert-Jan Goossens_1
Honored Contributor

‎04-27-2009 03:27 AM

‎04-27-2009 03:27 AM

Re: User Login

Ravi,

I changed the passwd field in the (my case) /etc/shadow file to LOCKED for a test user. Now you can use su - user to switch user, but you can not login directly with this user account.

gorj:LOCKED:14361::::::

Regards,
Robert-Jan
0 Kudos
G V R Shankar
Valued Contributor

‎04-27-2009 05:38 AM

‎04-27-2009 05:38 AM

Re: User Login

Hi,

There are 2 challeges here. When we change it to LOCKED, it actually changes the password field and whenever user types the password, it doesn't match the encrypted pasword, becoz, we have removed the encrypted password and put a new word LOCKED.

So they user will never login to the server over telnet or ssh. instead of chnaging the encrypted portion, I can just change the password of the apps users and keep it with me ;)

As you said, I can do su - test, but I can do it as root. I cannot switch to the user as a normal user. Again the password will not work.

Cheers,

Ravi.
0 Kudos
Autocross.US
Trusted Contributor

‎04-27-2009 05:47 AM

‎04-27-2009 05:47 AM

Re: User Login

Do you have sudo in your environment? If so, you could set the password to something random and then setup a sudo profile for the users to be able to sudo to the account w/o a password. Here's an example sudoers for this:

User_Alias PROD = user1, user2, user3
PROD ALL = NOPASSWD: /usr/bin/su [-] apps_acct

The user would login with their account and then run: sudo su - apps_acct

If configured properly, the users won't be prompted for the apps_acct password.

I drive way too fast to worry about calories.
0 Kudos
G V R Shankar
Valued Contributor

‎04-27-2009 06:27 AM

‎04-27-2009 06:27 AM

Re: User Login

Hi,

Using sudo is the last thing in my mind. Is there any way to accomplish my requirement.

Ravi.
0 Kudos
OldSchool
Honored Contributor

‎04-27-2009 06:38 AM

‎04-27-2009 06:38 AM

Re: User Login

"Using sudo is the last thing in my mind. Is there any way to accomplish my requirement."

ok, locking the account means you can't "su -" as a normal user, as the password has to work.

changing shell to "false" won't work as you need a shell.

however, sudo will let "normal" users "su -" to the locked account using *their* password, because they'd be running the "su" as root.

Maybe sudo need to move up on your list?
0 Kudos
Autocross.US
Trusted Contributor

‎04-27-2009 08:00 AM

‎04-27-2009 08:00 AM

Solution

Re: User Login

You could do one of the following:

- in the apps_account users .profile, create a script check to see if the account was logged into directly or by su (who am i). The script would exit if logged into directly. I've done something like this in Solaris.

- Another method would be to deny the user access to each application. See the 'DenyUsers' directive for ssh and ftpusers for ftp. I'm sure most apps can be configured to deny a specific user.

I drive way too fast to worry about calories.
0 Kudos
G V R Shankar
Valued Contributor

‎04-29-2009 08:18 AM

‎04-29-2009 08:18 AM

Re: User Login

Implimented the solution provided by Autocross.US.

Thank You.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.