LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-18-2019, 12:08 PM   #31
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148

Ok, I'm familiar with that entry under DenyGroups under /etc/ssh/sshd_config

However would this affect scripts that use ssh keys too?

Quote:
Originally Posted by Ghostwheel View Post
While I tend to agree that your setup should probably be rethought, would it work to just disallow ssh access to these "service accounts" so they cannot be remotely logged into? This would force your users to use their own account and sudo to the service accounts.

Turbocaptialist is on the same track as well, I see.
 
Old 04-18-2019, 01:29 PM   #32
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,596

Rep: Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937Reputation: 3937
Quote:
Originally Posted by JockVSJock View Post
However would this affect scripts that use ssh keys too?
I do not really understand this question.
 
Old 04-18-2019, 01:37 PM   #33
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649Reputation: 1649
1) Remove the service account completely. Set up sudo for the users correctly.
2) Keep the svcacct, but modify it to have 'nologin' in /etc/passwd. Users can then "su - -s /bin/bash svcacct".
 
Old 04-18-2019, 02:03 PM   #34
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,913
Blog Entries: 3

Rep: Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862Reputation: 1862
Use ForceCommand in sshd_config, under a Match directive if necessary. But of more use would be to use single-purpose keys and the Command="..." option inside the public keys. See "man sshd" for that and scroll down to the section "AUTHORIZED_KEYS FILE FORMAT" where you'll see the details.
 
Old 04-18-2019, 09:59 PM   #35
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 2,898

Rep: Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004
Quote:
Originally Posted by pan64 View Post
if the login shell is set to nologin the system will not allow you to log in. with or without ssh keys.
Repeating this...in addition, if the login shell is set to nologin, one can't su to it either.
nologin means nologin. period.
 
  


Reply

Tags
service accounts


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
systemctl status postgresql-tst.service starts the service if service is stopped MarianForums Linux - Newbie 7 11-03-2018 03:02 PM
[SOLVED] Linux Ent 5 only root logging in.not other users logging authentication failure error ravikavala Linux - General 1 09-30-2014 03:46 AM
NIS+NFS: how to prevent users from logging directly into the server? kikinovak Slackware 8 09-18-2012 07:40 AM
Prevent user account from logging in but allow su to account DejaCpp Linux - General 4 07-26-2006 11:44 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration