How to prevent users from logging in under a service account?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is a good approach for managing this? Because it is not clear to me.
That was explained. You don't need to solve that problem with workarounds, but need to avoid that situation at all. But probably I misunderstood it (completely?). I mean (for example) users are not allowed to put their keys everywhere....
I do not want to offend against you. Just wanted to give you the best hint I can.
Obviously nologin, sudoers and other things mentioned earlier are definitely good and useful, but if the keys are there you are lost. And I think even root can be compromised.
Sorry, I got side tracked with work, however I want to thank everyone for their answers. This is what I've taken away from this thread.
1. There are no "service accounts" in Linux.
2. I've set the shell for accounts that certain end users keep logging into directly to /sbin/nologin,, when they should log into with their normal user account and then escalate to a different account.
So if I'm understanding you correctly, we shouldn't allow for this user account (Oracle) to have access to ssh keys between two RHEL VMs. Sounds like this is a security issue as well. If you don't mind elaborating on that, as I don't understand the why behind it.
Regular users typically login into to RHEL VMs from Windows 10 Desktop via PuTTY.
As the sys admin, I use ssh keys between all of my RHEL VMs. I may not have a firm understanding of the how, but I want to make sure security is applied correctly to the RHEL VMs that I manage.
However I have end users who can't follow the rules or don't think the rules apply to them. Should they not be allowed to generate ssh keys too since they have no regards for the rules?
Quote:
Originally Posted by pan64
do you want to allow ssh for these service accounts (among hosts?) (you should not). Do you want to allow ssh with key [only] for regular users?
Last edited by JockVSJock; 04-18-2019 at 06:41 AM.
ssh keys are used to allow passwordless logins using ssh. This can be convenient for regular users and also for services which should do some remote work (like ansible).
Actually I don't know if the given oracle user is meant to do some remote managing, but if I remember well it was not planned.
You need to set up [passwordless] sudo <oracle user> <some commands> for the users who allowed to manage oracle and configure ssh key for them.
I have ssh keys setup for my user account because it saves me time from having to type a password over and over. For another account that does port scanning, I used ssh keys because it was having issues logging in. Once setting up ssh keys, that solved that issue.
Right again, in that I've setup Oracle and white listed commands via sudo.
Its still not clear if I setup Oracle with /sbin/nologin how it will affect ssh keys or if this will be more of a security issue as I have users who can't be trusted to do the right thing.
Quote:
Originally Posted by pan64
ssh keys are used to allow passwordless logins using ssh. This can be convenient for regular users and also for services which should do some remote work (like ansible).
Actually I don't know if the given oracle user is meant to do some remote managing, but if I remember well it was not planned.
You need to set up [passwordless] sudo <oracle user> <some commands> for the users who allowed to manage oracle and configure ssh key for them.
You can use AllowGroups to whitelist groups or DenyGroups to blacklist them in sshd_config. That can keep people from logging in with the wrong accounts.
While I tend to agree that your setup should probably be rethought, would it work to just disallow ssh access to these "service accounts" so they cannot be remotely logged into? This would force your users to use their own account and sudo to the service accounts.
Turbocaptialist is on the same track as well, I see.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.