Restrict user account access to SU only...

[dmarsee]

I need to restrict the access to one shared user account in a manner so that users cannot login to the account unless they use "su" -----

In other words: only if they have already logged on to the server using their own personal userid can they then access this administrative account.

I am not referring here to ROOT but rather to an account that owns one sensitive application on the server.

The object is to stop the application administrators from using telnet or xwindows directly into the admin account. (They will, however, have to use telnet or xwindows to get onto the server in the first place as themselves.)

It doesn't seem like an odd request but I can't find information on how to do it.

Thanks for any help, in advance...

Don Marsee

 

[trunix]

I have found that this works.

Set up your user account without a home directory in the password file.

Now if you try to telnet into this account it will immedietly drop the connection.

However if you su to the user, it will let you in to the account - although you will still be in your own home directory.

I tried this on a SGI server, but it should work on others

 

[Soladm]

dmarsee,

You can modify the /etc/default/login file. Look for the following line:

#CONSOLE=/dev/console

Uncomment(remove the #) this line and save the file. Try to telnet to the server and log in as root... it will not allow it. Users must login as themselves and then su to root. I have done this on many of my servers and it works excellent.


soladm

 

[Guest_imported]

This is what I have in /etc/profile that will restrict users to su only on certain accounts.

LIST=/etc/nologinlist
ME=`who am i|awk '{print $1}'`
grep ${ME} ${LIST}
if [ "$?" -eq "0" ]
then
echo ""
echo "You are not able to login directly as ${ME}."
echo "You must login using your personal account, and hen use 'su'."
exit
fi

Add all the userids that you want to restrict access to the /etc/nologinlist file.