We would like to be able to prevent users from logging in directly, using shared accounts e.g. "oracle". Site policy is that they have to login with their personal account and su to the shared account (for audit purposes), however we have no system in place to enforce this. Is there a way that this can be done? Please note that we do not use sudo.. any help with this will be much appreciated. thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Prevent direct logins
- Thread starter gaz0181
- Start date
elgrandeperro
Technical User
RBAC works better in Solaris 10. This is role basd control, and once setup it is much like sudo and has granular control, down to resources. It has works (with problems) from Solaris 8 to 9.
elgrandeperro
Technical User
Do you allow console access? If ssh is the only way in, you could deny the using the DenyUsers directive.
- Thread starter
- #4
sorry should have said we use solaris 8 in most cases, though newer servers are built with solaris 10 (when the application allows). emm no - typically the DBA's would not have access to the system console. Just remote access via telnet, ssh in some cases etc...
elgrandeperro
Technical User
Then I would investigate a pam solution. I would still add those lines in sshd_config because ssh has a non-interactive shell that can give users access (I need to check that).
- Status
Similar threads
- Locked
- Question