[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-390
Subject:    Re: SLES10 su only id
From:       Dominic Coulombe <dominic.coulombe () gmail ! com>
Date:       2009-10-20 15:56:57
Message-ID: 29f187e20910200856l7c6343b7ra5ce7d150bee7c6c () mail ! gmail ! com
[Download RAW message or body]

Hi,


On Tue, Oct 20, 2009 at 11:23, Smith, Ann (ISD, IT) <
ann.smith@thehartford.com> wrote:

> I wondered what methods other folks use to prevent direct login to an id
> on a SLES10 server and allow login only via su.
>


You can deny specific users from logging through SSH (see man sshd_config) :

AllowUsers : This keyword can be followed by a list of user name patterns,
separated by spaces.
DenyUsers : This keyword can be followed by a list of user name patterns,
separated by spaces.


That way, your users can connect with their own userid, then "su" to the
(denied) shared userid.


You will then have something like this logged to the /var/log/messages file
:
Oct 20 11:40:15 MYLINUXHOST sshd[8443]: Accepted keyboard-interactive/pam
for myuser123 from 1.2.3.4 port 3686 ssh2
Oct 20 11:40:18 MYLINUXHOST su: (to root) myuser123 on /dev/pts/0



Regards,
Dominic Coulombe

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to LISTSERV@VM.MARIST.EDU with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
[prev in list] [next in list] [prev in thread] [next in thread]