[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-sun
Subject:    Re: Prevent remote User login
From:       Blair Barrett <bbarrett () nyis ! net>
Date:       2003-10-17 11:50:19
[Download RAW message or body]

Noel,

We create the role account and then lock it. We allow allow access 
through Sudo:

http://www.courtesan.com/sudo/

It's relatively straightforward, and you can restrict the ability to 
switch user based on groups. We also by default change the permissions 
on both instances of su (/usr/bin/su and /sbin/su) so that only root 
can execute it.

We've been doing this for years - it works on most flavors of Unix 
including Solaris.

The user simply switches user to the locked account by typing

/usr/local/bin/sudo su - [account] (or simply sudo  su - ... if 
/usr/local/bin is in the user's PATH statement).

They will be prompted for their own password, and once successfully 
authenticated will be switched to the account.

Blair






> Noel del Rosario wrote:
>>  Glenn,
>>         Is there something that  could prevent a user to do a remote 
>> login
>>        to another valid user_id account (say 'oracle' or '9ias' ) but 
>>  allows them        to do 'su - oracle' or 'su - 9ias'  after they 
>> successfully login remotelly        using their own user_id account ( 
>> say 'rosario' or 'watanabe' ).  cheers,
>> noel
>
>

[prev in list] [next in list] [prev in thread] [next in thread]