Can force a general user to 'su' to another general user?
Hello,
There's a common login account 'apadmin' which is a general user, however, I can't identify who is using 'apadmin' in the same time. I got an idea, that create login account for each user,ex,'frank', it must run 'su - apadmin' to do the work, then I can know who is using the 'apadmin' account.
Is there one can advice me how to make it, force the 'frank' to use 'su - apadmin'? Because they will still know the password of 'apadmin'!!
# 1
The easy way is to change the password of apadmin thus forcing them to log in to the newly created personal accounts.
If you change the password to something they don't know they won't be able to change it once su'ing to the account.
I've had to use this somewhat heavy handed approach in the past.
Travis
# 4
> How do they login? If they only use ssh you could
> add
> DenyUsers apadmin
>
> to /etc/ssh/sshd_config
>
> .7/M.
Currently, we are using 'telent' internally, it might a method to do if they use 'ssh', however, we just want to distinguish who is using 'apadmin' by each own account. That is, they will login by their own name, ex.,'john', then 'su - apadmin' to do their job.
# 5
Well, if I have understood you correctly, you want to prevent people from remotely logging in as apadmin. But force them to login as their own account and su to apadmin.
The following might work.
The "who am i" command shows the real user id, which the original account for an su'd users.
So if you modify the apadmin account .profile (or .cshrc) to run "who am i" and exit if its apadmin. Then people should be unable to telnet in as apadmin.
Of course, if someone wanted to be sneaky, they could edit the .profile.
So it really depends on to what extent you mistrust them.
Presumably theres a level of mistrust or you could just ask everyone to su to apadmin instead of logging in directly.
# 6
As I suggested before if you configure "sudo" and change the password for "apadmin" they will never be able to telnet or ssh without a knowing the password.
If you require all users to automaticly su at login just put the "sudo su - apadmin" in /etc/profile.
Also to add if you would like to block users from telnet'ing as "apadmin" install "tcpwrappers". It can be configured to refuse users. Or at least log the workstation that keeps telneting as "apadmin".
