HPE Community
Operating System - Linux
1828674 Members
2300 Online
109984 Solutions
New Discussion

Re: Prevent direct Login

 
SOLVED
Go to solution
jpmc admin
New Member

‎09-01-2005 07:32 AM

‎09-01-2005 07:32 AM

Prevent direct Login

Hi

We have the application ID's login directly to the systems. We want to prevent the application ID's ( eg : oracle) directly login to the system. Instead, the user has to login with their ID first and then do su - appID to the application .

How do we do this ?

Thanks in Adv for the help !

Rgds / JPMC
0 Kudos
Reply
12 REPLIES 12
Rick Garland
Honored Contributor

‎09-01-2005 08:23 AM

‎09-01-2005 08:23 AM

Re: Prevent direct Login

I am currently working on such as well. Here is what I have found thus far...

In the /etc/passwd file, change the shell for the user account to /bin/false. Users can ftp and su to that account but not be able to login. (Have not tested yet)

Use the output from 'who am i' and compare this with a file you create called '/etc/nodirectlogin'

In the /etc/profile you have something similar;
WHO=`${who am i|awk '{print $1}'
grep -q "^$WHO:" /etc/nodirectlogin
if [ $? = 0 ]
then
echo "$WHO cannot login directly"
fi

The /etc/nodirectlogin file has;
oracle
sybase
etc...

In the second example, just test for a user name in the /etc/profile, depending on the result, allow access or not. This will not affect the ability to su -

0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎09-01-2005 08:26 AM

‎09-01-2005 08:26 AM

Re: Prevent direct Login

You can use the pam_access module. Configure it in the /etc/pam.d/system-auth file.

Then edit the /etc/security/access.conf file and specify that the user is not allowed to logon locally.

-:oracle:LOCAL
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Ivan Ferreira
Honored Contributor

‎09-01-2005 09:00 AM

‎09-01-2005 09:00 AM

Re: Prevent direct Login

I also though the /bin/nologin /bin/false shell for the user, but won't be able to use the "su -" (with the -).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Gopi Sekar
Honored Contributor

‎09-01-2005 06:31 PM

‎09-01-2005 06:31 PM

Re: Prevent direct Login


I just checked the man page of login program. Interestingly it checks /etc/usertty files for login restrictions, I believe you can configure it for users, groups wise.

check the man page of login

Hope this helps,
Gopi
Never Never Never Giveup
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-01-2005 10:56 PM

‎09-01-2005 10:56 PM

Re: Prevent direct Login

--- /etc/profile ---

if [[ $USER = "oracle" ]]
then

echo "plz login with your own ID. Then do su to applicaiton login ID"
sleep 5
exit 1
fi

Put this. It will start to work.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎09-02-2005 01:21 AM

‎09-02-2005 01:21 AM

Re: Prevent direct Login

The last script can be cancelled before the exit (withing the 5 seconds of sleep).

If you want to use that, use the stty to disable the interrupt/break keys.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Raj D.
Honored Contributor

‎09-02-2005 02:37 AM

‎09-02-2005 02:37 AM

Re: Prevent direct Login

Hi JPMC ,

You can install sudo , and its very good tool to restrict users and various permission.

You may look at this link :
http://www.courtesan.com

Cheers ,
Raj
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
Ranjith_5
Honored Contributor

‎09-02-2005 03:51 AM

‎09-02-2005 03:51 AM

Re: Prevent direct Login

Hi,

Change the application ID password so that it contains # or @ . Now with a telnet session this ID wont be able to login directly. This is my experience with HP-UX so far I havent tested on linux.

Regards,
Syam
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎09-02-2005 04:32 AM

‎09-02-2005 04:32 AM

Re: Prevent direct Login

The above solution won't allow su to that user without any other user than root, because you must specify the password.

If you are going to use that solution, you should use sudo to enable users use su as root to applications users.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎09-02-2005 04:55 AM

‎09-02-2005 04:55 AM

Solution

Re: Prevent direct Login

If it's enough to prevent ssh logins, there's a really easy solution, even if it's 'the other way round':

There's an option for sshd_config called AllowedGroups (or something like that).

create a group 'interactive' and add all 'real' users to it, but not others like oracle,dba,bin,sys,lp and the likes.

Every user that is not contained in the group will be prohibited login after daemon restart.
yesterday I stood at the edge. Today I'm one step ahead.
Reply
Ranjith_5
Honored Contributor

‎09-02-2005 04:59 AM

‎09-02-2005 04:59 AM

Re: Prevent direct Login

Hi ivan,

I think JPMC's need is to know who all are currently logged into the system. May be he doesnt mind to share the applID password with the users if this is his purpose.

Regards,
Syam
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎09-02-2005 05:09 AM

‎09-02-2005 05:09 AM

Re: Prevent direct Login

Muthukumar,

You need to ensure to trap ^C and other commands, otherwise the oracle user will probably be logged in if someone hit's ^C, killing the sleep process.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.