How to prevent users from logging in under a service account?

JockVSJock · 04-18-2019, 12:08 PM

Ok, I'm familiar with that entry under DenyGroups under /etc/ssh/sshd_config

However would this affect scripts that use ssh keys too?

Quote:

Originally Posted by Ghostwheel

While I tend to agree that your setup should probably be rethought, would it work to just disallow ssh access to these "service accounts" so they cannot be remotely logged into? This would force your users to use their own account and sudo to the service accounts.

Turbocaptialist is on the same track as well, I see.

pan64 · 04-18-2019, 01:29 PM

Quote:

Originally Posted by JockVSJock

However would this affect scripts that use ssh keys too?

I do not really understand this question.

szboardstretcher · 04-18-2019, 01:37 PM

1) Remove the service account completely. Set up sudo for the users correctly.
2) Keep the svcacct, but modify it to have 'nologin' in /etc/passwd. Users can then "su - -s /bin/bash svcacct".

Turbocapitalist · 04-18-2019, 02:03 PM

Use ForceCommand in sshd_config, under a Match directive if necessary. But of more use would be to use single-purpose keys and the Command="..." option inside the public keys. See "man sshd" for that and scroll down to the section "AUTHORIZED_KEYS FILE FORMAT" where you'll see the details.

scasey · 04-18-2019, 09:59 PM

Quote:

Originally Posted by pan64

if the login shell is set to nologin the system will not allow you to log in. with or without ssh keys.

Repeating this...in addition, if the login shell is set to nologin, one can't su to it either.
nologin means nologin. period.