Block telnet for ID but only allow SU

[hookem1994]

I am needing to deny telnet access for a batch ID to a UNIX server, however I need to permit users to SU to the ID. Any suggestions? I know that I can block telnet by changing the shell to /bin/false, but then you can't SU to it.

Thanks in advance,
David
hookem1994

 

[Annihilannic]

Do you only su to this account from root?

If so, the easiest way is to simply lock the account using passwd -l userid.

Otherwise, in that users' .profile, you could compare the usernamae values produced by logname and /usr/xpg4/bin/id -un, and if they are the same (i.e. the user has not su'd) chuck them out. Annihilannic.

 

[splitting10]

I wouldn't recommend setting this in the user's .profile since once they su to the account, they will be able to modify their .profile and gain telnet access. I add the following bit of code to /etc/profile to deny users telnet access, but allow su access. You just need to change and/or add login id's to the LOGNAME variables.

#
# Block login access for certain users
#
if [ "`/usr/bin/who am i|awk '{print $1}'`" = "$LOGNAME" ] ; then
if [ $LOGNAME = "oracle" -o $LOGNAME = "nsuser" -o $LOGNAME = "named" \ ] ; then
echo "This id is not authorized to login directly"
exec sleep 5
fi
fi

 

[Annihilannic]

I neglected to mention that the user's .profile would need to be owned by root and read only. Annihilannic.

 

[hiwaycool]

I just did this....
lock passwd for user name...
create a uid gid c prog that will run the su
command as root to that user... ExmapleL

set gid(0);
set uid(0);
system(&quot;su - <userid>&quot;

or you could use sudo and alias the command

I went with the c prog because I could better control
stuff... Like limit who could run it; from where; stuff like that.