Link to home
Start Free TrialLog in
Avatar of dskhunter
dskhunter

asked on

SU Only Account

Similar to AIX, is there a way to set up a login account that can only be su'd to (no direct login from the login prompt)?

Thanks,
Don
ASKER CERTIFIED SOLUTION
Avatar of chris_calabrese
chris_calabrese

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of yuzh
yuzh

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dskhunter
dskhunter

ASKER

In AIX you can set an account so it can't be logged into directly (su only).  You have to login as someone else then su - to the account.  You can then create a group that contains only the login  accounts that are allowed to su to that 'su only' account.

If I've explained it properly, it appears that none of these suggestions seem to match the AIX functionality that we are trying to mimic on our Linux machines.

I'll split the points between you three for replying.

Inserting something this in the .bash_profile will do the trick.  This would be for ssh.  

 if  env | grep -q SSH_TTY ; then
        logout
 fi


That may not do the trick if a) there are ways for the user to execute code without going through .bash_profile (such as through something like 'ssh host rm .bash_profile') or b) if the .bash_profile is writable to the user (i.e, they own their .bash_profile or their home directory).