Disable telnet/ssh login for certain user (1570 Views)
Reply
Occasional Advisor
Sajjad Ali_1
Posts: 8
Registered: ‎03-04-2005
Message 1 of 16 (1,570 Views)
Accepted Solution

Disable telnet/ssh login for certain user

Need urgent help!!!
Hi,
I have an application that runs under a regular unix ID 'prod1'. I want to disable direct login for 'prod1' via ssh or telnet. But I do want some users to be able to su to prod1 and do application maintainence tasks. How can I accomplish that? Also the above scnerio is possible, then where do I define which users are allowd to su to prod1.

If anyone can answer this quickly, I would greatly appreciate it.

Thanks,
Tony
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

Change the shell in /etc/passwd to /usr/bin/false

This will disable login completely.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Honored Contributor
RAC_1
Posts: 5,920
Registered: ‎03-21-2002
Message 3 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

Put some code in /etc/profile. Something as follows.

uid=$(id -u)
if [[ ${uid} = "uid_of_user" ]]
then
echo "No direct logins"
else
echo "giving login"
fi

Anil
There is no substitute to HARDWORK
Occasional Advisor
Sajjad Ali_1
Posts: 8
Registered: ‎03-04-2005
Message 4 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

changing to /usr/bin/false wouldn't let anyone su to that userid.

Anil, your suggestion will solve who can and cannot su to that username. Thanks.

However, how do I disable direct login of prod1, yet still allow certain user to su to prod1 and prod1 would still be able to run jobs/scripts. Any solution to this? Thanks.
Honored Contributor
RAC_1
Posts: 5,920
Registered: ‎03-21-2002
Message 5 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

sudo comes to my mind. Here is how you can do it. Put the code that I gave in /etc/profile. this would not allow direct login and su (this code will also su prod1, but not su - prod1, cause in second command /etc/profile gets executed)

So configure sudo for all those users with the commands that they need to run as prod1.

"user1" ALL=(prod1) /xxx/prod1_command1 /yyy/prod1_command2

Now you run these programs as follows.

sudo /xxx/prod1_command
In this case /xxx/prod1 command will run under prod1 by user "user1"

man pages of sudo and visudo


Anil
There is no substitute to HARDWORK
Occasional Advisor
Sajjad Ali_1
Posts: 8
Registered: ‎03-04-2005
Message 6 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

Anil,

I have tried putting your code in the /etc/profile, but the user prod1 is still being allowed to login directly.

uid=$(id -u)
if [[ ${uid} = "109" ]]
then
echo "This id is not allowed to login directly"
else
echo "giving login"
#set enviroment.

.................
................. etc. etc.

fi


What am I doing wrong? Thanks.
Honored Contributor
RAC_1
Posts: 5,920
Registered: ‎03-21-2002
Message 7 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

Correction in code.

uid=$(id -u)
if [[ ${uid} -eq "109" ]]
then
echo "This id is not allowed to login
directly"
exit 1
else
echo "giving login"
fi

Did you check second post??
There is no substitute to HARDWORK
Honored Contributor
Darrel Louis
Posts: 856
Registered: ‎11-27-2000
Message 8 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

Hi,

Do you have sudo installed on your Server.
With sudo you can define who's able to su to prod1.

Good Luck

Darrel
Esteemed Contributor
Mark Nieuwboer
Posts: 409
Registered: ‎08-06-2001
Message 9 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

Hi,

We have don something different.
We make a file /etc/not_loginable and in this file we put the application users.

Then in the /etc/profile we put the following code.
# custom code for denying generic account login
if logname > /dev/null 2>&1
then
LGNM=`logname`
if egrep "^${LGNM}$" /etc/not_loginable > /dev/null 2>&1
then
echo "\nDirect login not allowed for $LGNM\n"
sleep 2 # For display on ssh-login #
echo "\nNO remote login allowed for $LGNM (`date '+%D %T'`)\n" |
logger -p user.err -t NOT_LOGINABLE
exit 1
fi
fi

When you login under your own account you are able to su to the user.

grtz. Mark
Trusted Contributor
Gordon  Morrison
Posts: 145
Registered: ‎07-28-2004
Message 10 of 16 (1,570 Views)

Re: Disable telnet/ssh login for certain user

See this thread. I think it has the answer you want.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=825287
What does this button do?
Occasional Advisor
Sajjad Ali_1
Posts: 8
Registered: ‎03-04-2005
Message 11 of 16 (1,566 Views)

Re: Disable telnet/ssh login for certain user

Darrel,

Do you have an example of SUDO configuration on who can SU to that user?

Thanks.
Occasional Advisor
Sajjad Ali_1
Posts: 8
Registered: ‎03-04-2005
Message 12 of 16 (1,566 Views)

Re: Disable telnet/ssh login for certain user

Nieuwboer,

Does /etc/profile get executed after a valid username/passwd attempt? The problem I am running into is that people are trying to guess the password of the service account and keep locking it up. I am trying to find a solution where as soon as you type in the username, it will kick you out before a password prompt. I don't think that's possible, is it? Thanks.
Trusted Contributor
Gordon  Morrison
Posts: 145
Registered: ‎07-28-2004
Message 13 of 16 (1,566 Views)

Re: Disable telnet/ssh login for certain user

I don't think that's possible either. I think what you really need is a club to re-program your users with.
What does this button do?
Trusted Contributor
Gordon  Morrison
Posts: 145
Registered: ‎07-28-2004
Message 14 of 16 (1,566 Views)

Re: Disable telnet/ssh login for certain user

I have designed a club for your users' reprogramming needs. (It may need some tweaking for your environment)
This will catch direct login attempts for a user, but will allow "su -" to that user.
Add the following to the relevant user's .profile :

uid=$(who am i|awk '{print $1}')
if [[ $uid = username ]] ; then
who -u | grep username | mailx -s "Attempted intrusion" root@hostname
echo""
echo "###################"
echo "Logging in directly as username is prohibited!"
echo "This attempt has been logged."
echo "Repeated attempts will result in diciplinary action."
echo "Please login as yourself, then use su"
echo "###################"
echo ""
exit
fi

What does this button do?
Esteemed Contributor
Mark Nieuwboer
Posts: 409
Registered: ‎08-06-2001
Message 15 of 16 (1,566 Views)

Re: Disable telnet/ssh login for certain user

Sajjad,

Don't forget to give pionts.
Esteemed Contributor
Mark Nieuwboer
Posts: 409
Registered: ‎08-06-2001
Message 16 of 16 (1,566 Views)

Re: Disable telnet/ssh login for certain user

Hi Sajjad,

Your right my sollution don't prevent that the can lock the user. It will prevent to log on as that user. etc/profile is executed with al attemps of a valid user. futher more you must have disipline your people or kick temp for trying to hack.
solution above is a good one.

grtz, Mark
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.