 | | | restrict remote logins to service accounts. | restrict remote logins to service accounts. 2006-01-17 - By Collins, Kevin [MindWorks]
Back
Ed,
I was going to respond the same way, but after some testing
discovered that ssh, scp and sftp all get "connection closed" with the
shell set to /bin/false...
Kevin
-- --Original Message-- --
From: taroon-list-bounces@(protected)
[mailto:taroon-list-bounces@(protected)] On Behalf Of Ed Wilts
Sent: Tuesday, January 17, 2006 12:07 PM
To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: restrict remote logins to service accounts.
On Tue, Jan 17, 2006 at 09:35:34AM -0600, David.Knight@(protected)
wrote:
> I have an issue with Admins/DBA's logging into my servers directly as
> service accounts such as user 'oracle'. I have had a hard time getting
> people to adopt the use of sudo. I am at the point where I need to
> restrict direct logins to these accounts. My goal is to force people
to
> sudo to the service accounts from there assigned user account. I only
> allow ssh/scp connections to my servers. I have tried the sshd.config
> option "AllowUsers" but this also restricts scp logins. I can;t
restrict
> this for automated processes run under the service accounts use scp.
So
> the only thing I need to restrict is direct remote "ssh" logins.
The easiest thing to do (I think) is to change the shell for oracle to
/bin/false. That will kill all remote access but should allow the scp
to continue.
The admins then need to do something like sudo su - -s /bin/bash oracle.
This is how I maintain all my external FTP users that don't have shell
access and I need to do work in their account areas.
.../Ed
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts@(protected)
Member #1, Red Hat Community Ambassador Program
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|