Restricting direct login and su access
On critical systems it is usually considered a bad practice to allow direct remote logins to system users, such as root or other application owners, and shared users, such as oracle. As a method for better control and from the user audit point of view, it is recommended to create different login users that will be allowed to connect and perform switches (su) to users considered critical. No other users should be exposed to the external world to allow direct, remote, or local connections.
In this recipe, we will create a group log and a user named loguser1, and we will disable direct logins for all others.
Getting ready
All steps will be performed on nodeorcl1.
How to do it...
Create a designated group for users allowed to log in:
[root@nodeorcl1 ~]# groupadd logingrpCreate an user and assign it to
logingrpgroup as follows:[root@nodeorcl1 ~]# useradd -g logingrp loginuser1To disable direct login for all users add the following line to
/etc/pam.d/system-auth:account required pam_access.soUncomment and modify the following line from
/etc/security/access.conf::ALL EXCEPT logingrp :ALLAll logins excepting users from the
logingrpgroup will be denied. If we try to connect fromnodeorcl5the connection will be closed:[loguser1@nodeorcl5 ~]$ ssh -l oracle nodeorcl1 oracle@nodeorcl1's password: Connection closed by 10.241.132.218 [loguser1@nodeorcl5 ~]$
The connection succeeds as
loginuser1:[loguser1@nodeorcl5 ~]$ ssh -l loginuser1 nodeorcl1 loguser1@nodeorcl1's password: [loguser1@nodeorcl1 ~]$
To disable the
sucapabilities for all users exemptingloginuser1, open/etc/pam.d/suand uncomment the following line as instructed in the file:# Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
At this moment all users that don't belong to the
wheelgroup are not allowed to switch to an other user. Addloginuser1to thewheelgroup as follows. In this way the only user that may executesucommand will beloginuser1:[root@nodeorcl1 etc]# usermod -G wheel loginuser1If you try to execute an
sucommand with theoracleuser, you will getincorrect passwordmessage, and the switch cannot be performed:[oracle@nodeorcl1 ~]$ su - Password: su: incorrect password [oracle@nodeorcl1 ~]$
But as user
loguser1it succeeds:[loguser1@nodeorcl1 ~]$ su - Password: [root@nodeorcl1 ~]#
How it works...
The PAM module that performs the login check is pam_access.so, with the control flag set to required and the module type account. The control of su command is performed by the pam_wheel.so module.
There's more...
At this moment all users who do not belong to the group logusers are not allowed to log in locally or remotely. The only exemption is root login using ssh. We will see how to deny remote root logins with ssh in the following recipe, Securing SSH login.
