Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

User security

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users User security
# 1  
Old 03-04-2005
User security
Need urgent help!!!
Hi,
I have an application that runs under a regular unix ID 'prod1'. I want to disable direct login for 'prod1' via ssh or telnet. But I do want some users to be able to su to prod1 and do application maintainence tasks. How can I accomplish that?

Also the above scnerio is possible, then where do I define which users are allowd to su to prod1.

If anyone can answer this quickly, I would greatly appreciate it.
# 2  
Old 03-11-2005
Try with /etc/usertty (read more on it in manual of login(1)).
Also try 'sudo'.

Regards
# 3  
Old 03-13-2005
set the shell of the user 'prod1' to /bin/false in the /etc/passwd file. This will logout any user that logs in to this id via telnet or ssh, but will allow 'su prod1'. It will not allow 'su - prod1' though.
# 4  
Old 03-14-2005
my bad! using /usr/bin/false for shell will disable any shell login on that id. even su will not be allowed. the best thing to do would be to maintain the login shell for the user as /usr/bin/sh and have the user's .profile file as follows:
exit 0
only the login shell will read the .profile. so users will be unable to login to that id, but will be able to su to that id (not su - ).
# 5  
Old 03-14-2005
disable telnet access by commenting the appropriate line in /etc/inetd.conf, restrict remote SSH access to the server through the AllowUsers construct in sshd_config, remove remote ssh access into server for "prod1" account and setup su access ... may be a big problem if lots of people need access to the server ...

or ...

lock the password for "prod1" account, and setup su access ... may be hard to do without a working password unless you can modify su to take the current user's password instead of the "prod1" account's password ...
# 6  
Old 03-21-2005
Lightbulb
I think the easiest way is to use /usr/bin/nologin which disallows direct login to a user id. My Oracle DBAs use it to force them to login as themselves then su - oracle.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Cybersecurity

Stream Content Security with user:pass

Hello, I have a linux based streaming server and I do not want to make it public. I am looking for a solution to make my streaming content secured with username & password for each individual. If i had been dealing with a webpage application, it would have been easy for me: To create .htpasswd... (5 Replies)
Discussion started by: baris35
5 Replies

2. Web Development

Automization for realm windows security Alert User name and password

I am hitting application Direct URL's(dev servers) from windows7 desktop. I got the popup window to enter credentials. "the server at default realm requires a username and password". devserver is unix server. I have 10 applications need to hit 40 directl urls. I dont like to enter unser... (3 Replies)
Discussion started by: ksreddi
3 Replies

3. UNIX for Dummies Questions & Answers

Pop the users one by one in sudo cat /etc/security/user

Hi Everyone, When I runthe query in ssh shell sudo cat /etc/security/user , I see half of the users cut down from the display screen. what I want to do is using the somthing like "pop" that when I hit the enter key every time the screen should move to the next user? does some one has any idea how... (4 Replies)
Discussion started by: starter2011
4 Replies

4. AIX

Security user Can't change the groups.

Dears Security users in AIX don’t have permission to change the group of the user thru Smitty Users When they try to change the group of the users to any group they'll get permission denied Security profile in Smitty : User... (10 Replies)
Discussion started by: ITHelper
10 Replies

5. Solaris

Solaris user Security implementation

Hi gurus, Need you help here: How we can implement I have edited /etc/default/login as TIMEOUT=60 But user is not Logged out after 60 sec inactivity. How we can implement this? e.g 3 bad passwords and the user is locked. And it is locked for certain period e.g 20 min. (1 Reply)
Discussion started by: Asteroid
1 Replies

6. UNIX for Advanced & Expert Users

any reason for a user without a homedir - security/config/application?

Hi, Can I just quick pick everyone brain here about the following: There is a security audit going on at the company I work for and one of the things that needed to be resolved was that there were a lot of users who don't have a home directory. As this is a fairly large environment of over... (5 Replies)
Discussion started by: Solarius
5 Replies

7. UNIX for Dummies Questions & Answers

/etc/security/user two default entries

If there are two default entries in the /etc/security/user file, which settings are effective, the first one or the second one? For example: would maxage 0 or 12 be effective? default: loginretries = 0 histexpire = 0 histsize = 0 minage = 0 maxage = 0 maxexpired = -1 default:... (1 Reply)
Discussion started by: Dan2
1 Replies

8. UNIX for Dummies Questions & Answers

/etc/security/user file in AIX

Dear Gurus, Can the /etc/security/user file be edit manually in AIX. I would like to change the histsize in the default. Currently is set to 0. Please advise whether i can just edit it manually, whether it would cause any harm? thank You Very much. (0 Replies)
Discussion started by: cteoh88
0 Replies
Login or Register to Ask a Question