1839214 Members
4205 Online
110137 Solutions
New Discussion

Re: Prevent direct Login

 
SOLVED
Go to solution
jpmc admin
New Member

Prevent direct Login

Hi

We have the application ID's login directly to the systems. We want to prevent the application ID's ( eg : oracle) directly login to the system. Instead, the user has to login with their ID first and then do su - appID to the application .

How do we do this ?

Thanks in Adv for the help !

Rgds / JPMC
12 REPLIES 12
Rick Garland
Honored Contributor

Re: Prevent direct Login

I am currently working on such as well. Here is what I have found thus far...

In the /etc/passwd file, change the shell for the user account to /bin/false. Users can ftp and su to that account but not be able to login. (Have not tested yet)

Use the output from 'who am i' and compare this with a file you create called '/etc/nodirectlogin'

In the /etc/profile you have something similar;
WHO=`${who am i|awk '{print $1}'
grep -q "^$WHO:" /etc/nodirectlogin
if [ $? = 0 ]
then
echo "$WHO cannot login directly"
fi

The /etc/nodirectlogin file has;
oracle
sybase
etc...

In the second example, just test for a user name in the /etc/profile, depending on the result, allow access or not. This will not affect the ability to su -

Ivan Ferreira
Honored Contributor

Re: Prevent direct Login

You can use the pam_access module. Configure it in the /etc/pam.d/system-auth file.

Then edit the /etc/security/access.conf file and specify that the user is not allowed to logon locally.

-:oracle:LOCAL
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: Prevent direct Login

I also though the /bin/nologin /bin/false shell for the user, but won't be able to use the "su -" (with the -).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Gopi Sekar
Honored Contributor

Re: Prevent direct Login


I just checked the man page of login program. Interestingly it checks /etc/usertty files for login restrictions, I believe you can configure it for users, groups wise.

check the man page of login

Hope this helps,
Gopi
Never Never Never Giveup
Muthukumar_5
Honored Contributor

Re: Prevent direct Login

--- /etc/profile ---

if [[ $USER = "oracle" ]]
then

echo "plz login with your own ID. Then do su to applicaiton login ID"
sleep 5
exit 1
fi

Put this. It will start to work.

hth.
Easy to suggest when don't know about the problem!
Ivan Ferreira
Honored Contributor

Re: Prevent direct Login

The last script can be cancelled before the exit (withing the 5 seconds of sleep).

If you want to use that, use the stty to disable the interrupt/break keys.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Raj D.
Honored Contributor

Re: Prevent direct Login

Hi JPMC ,

You can install sudo , and its very good tool to restrict users and various permission.

You may look at this link :
http://www.courtesan.com

Cheers ,
Raj
" If u think u can , If u think u cannot , - You are always Right . "
Ranjith_5
Honored Contributor

Re: Prevent direct Login

Hi,

Change the application ID password so that it contains # or @ . Now with a telnet session this ID wont be able to login directly. This is my experience with HP-UX so far I havent tested on linux.

Regards,
Syam
Ivan Ferreira
Honored Contributor

Re: Prevent direct Login

The above solution won't allow su to that user without any other user than root, because you must specify the password.

If you are going to use that solution, you should use sudo to enable users use su as root to applications users.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Florian Heigl (new acc)
Honored Contributor
Solution

Re: Prevent direct Login

If it's enough to prevent ssh logins, there's a really easy solution, even if it's 'the other way round':

There's an option for sshd_config called AllowedGroups (or something like that).

create a group 'interactive' and add all 'real' users to it, but not others like oracle,dba,bin,sys,lp and the likes.

Every user that is not contained in the group will be prohibited login after daemon restart.
yesterday I stood at the edge. Today I'm one step ahead.
Ranjith_5
Honored Contributor

Re: Prevent direct Login

Hi ivan,

I think JPMC's need is to know who all are currently logged into the system. May be he doesnt mind to share the applID password with the users if this is his purpose.

Regards,
Syam
Florian Heigl (new acc)
Honored Contributor

Re: Prevent direct Login

Muthukumar,

You need to ensure to trap ^C and other commands, otherwise the oracle user will probably be logged in if someone hit's ^C, killing the sleep process.
yesterday I stood at the edge. Today I'm one step ahead.