General way
====================
Add the below line in /ets/ssh/sshd_config file
DenyUsers
Hartford Way
=====================
Here we put the restricted users list in /etc/profile.no.direct.login.IDs
Need to put the below script in /etc/profile.
# DENY DIRECT LOGIN #
# The following section denys direct login of certain id's.
# To utilize this code: create a file /etc/profile.no.direct.login.IDs.
# Set ownership of above file to root, protection to 444.
# Each line in the file contains one ID for which direct login is prohibited.
# Each entry in the file must begin in column 1.
#
if [ -f /etc/profile.no.direct.login.IDs ]
then
cat /etc/profile.no.direct.login.IDs | while read ID_ENTRY;
do
if [ "`logname`" == $ID_ENTRY ]
then
echo ""
echo "###########################################"
echo "# Direct login not allowed for this ID !! #"
echo "###########################################"
echo ""
echo "Exiting..."
sleep 2
exit
fi
done
Fi
# END DENY DIRECT LOGIN #
--------------------------------------------------------------------------
Last however is a simple add in to /etc/profile
REALNAME=$(who am i)
if [ "$LOGNAME" == "$REALNAME" ]
echo "Naughty child, direct login disabled $LOGNAME"
exit 1
fi
Note that who am i is different than LOGNAME when su - is used.
You will have to add a loop to only check these users, lets say they are in a list
while read -r uname
if [ "$LOGNAME" == "$uname"
then
REALNAME=$(who am i)
if [ "$LOGNAME" == "$REALNAME" ]
then
echo "Naughty child, direct login disabled $LOGNAME"
exit 1
fi
fi
done < /etc/specialusers
-----------------------------------------------------------------------------
For Bourne and POSIX shells, add the following to /etc/profile:
#unsupported statements to prevent users from login but allow su.
name=`logname`
if [ $name = username ]
then
echo $name not allowed to login...only su
logout
fi
#end
Note: username should be replaced with the name of the user to
whom direct login access is denied.
For C shell, add the following to /etc/csh.login:
#unsupported statements to prevent users from login but allow su.
set name=`logname`
if ( $name == username ) then
echo $name not allowed to login...only su
exit
endif
#end
----------------------------------------------------------------------
Hello,
This is the final solution. I will write a
Knowledge Brief about it:
a) As in any good company, inetd-based
protocols were disabled (telnet, rsh, rlogin).
b) Ordinary users have access to the server
via SSH only.
c) Added into sshd_config:
DenyUsers oracle prdadm
d) Installed SUDO and SUDOSH.
Everyone is familar with sudo, and
sudosh is available at:
http://sourceforge.net/projects/sudosh
For example, to log in as oracle:
/bin/sudo -u oracle /usr/local/bin/sudosh
SUDOSH captures all keystrokes on the tty and
the user cannot forge them! There is also a
replay command to check what the user did:
sudosh-replay
Note that sudosh can be a login Shell too!
Bingo: SUDOSH was a perfect and relatively easy method that made the customer happy.
No comments:
Post a Comment