Disable users to direct login

Evan · October 15, 2012, 6:13am

Hi all,
how can I disable direct login to a Solaris system not only for root user but also for other accounts?

Looking in google I came to the following:

For telnet (/etc/default/login):

disable root access> CONSOLE=/dev/console
disable generic user> ?

For ssh (/etc/ssh/sshd_config):

disable root access> PermitRootLogin No
disable generic user> DenyUsers username1 username2

I also found references to files:

/etc/hosts.deny
/etc/hosts.allow

Which is the best practice?

Thanks in advance,
Evan

achenle · October 15, 2012, 6:24am

If you disable all logins, how do you plan on logging on to perform maintenance, such as patching?

If you want to disable remote access, just don't run telnet or sshd.

Evan · October 15, 2012, 6:34am

Strange answer ... anyway I just want to disable the following users:

root
achenle

Thanks,
Evan

hicksd8 · October 15, 2012, 7:18am

Evan · October 15, 2012, 11:28am

Hi all,
thanks for your contribute.

Reading blogs, forum and techdoc came out that there's no way to deny a specific user (except root) to login directly with telnet.

I was able to make some tests in the lab and I think that the right solution is the one provided in my first post.

Moreover I'm going to discuss with colleagues to stop the telnet service so that we should solve the problem of direct access with specific user "X".

Thanks again.

Kind regards,
Evan

hicksd8 · October 15, 2012, 11:40am

See post by jlliagre. You can change the user to a role (only) thereby preventing login. He also explains how to allow another user to take on this role.

Root is a role by default in Solaris 11. Another user can su to become root.

You can therefore make root and achenle unable to login directly by changing both to roles.