prevent all users except one or two accounts from logging in

[WiccaChic]

Hi all. I know I can create a "nologin" file in /etc that will prevent everyone but root from logging on. Is there a way I could prevent everyone but root and one other account from logging on? I have a need to allow the primary account for my informix database to login as well as root when I have these maintenance mode type situations.

Thanks in advance.

 

[lillracksingen]

The file [tt]/etc/nologin[/tt] will disable all users except root. To allow more users to log in you could instead do this:
[tt]
# chsec -f /etc/security/user -s default -a login=false -a rlogin=false
[/tt]
If you want to disable rsh and rexec logins as well:
[tt]
# chsec -f /etc/security/user -s default -a login=false -a rlogin=false -a ttys=ALL,!RSH,!REXEC
[/tt]
Then to enable logins for root and individual users:
[tt]
chuser login=true rlogin=true root
chuser login=true rlogin=true user1
...
[/tt]
To also enable rsh and rexec:
[tt]
chuser login=true rlogin=true ttys=ALL root
chuser login=true rlogin=true ttys=ALL user1
...
[/tt]

 

[KenCunningham]

The way I've done this in the past (not on an AIX system though), is to add a portion of code to the /etc/profile file and exclude any users not included in a file I create with the usernames to be allowed access, using $LOGNAME to grep for the name and issuing a message if the user doesn't appear in it. This seems a more 'humane' way of preventing access and might prevent help calls from users who don't know what's going on. HTH.

 

[WiccaChic]

Thanks for the answers! I really like your idea Ken, thanks!

 

[lillracksingen]

If you use /etc/profile then you may also need to apply the same to /etc/csh.login if you have users using C-shell.