We have a generic user account "user1" setup on Solaris 8 that is used by an application. I dont want users to telnet/ssh using this account. Instead if they want to gain access, they must su or sudo to this after logging in with their own ID.
My earlier attempts to accomplish this by disabling telnet/ssh for a particular user have gone nowhere, mostly because I dont understand tcp wrappers.
I am looking for more simpler solutions, maybe a script will do this. A script which looks for this PID and kills it. Before killing the session, I would want a message flashed saying do not login with this account, your telnet session will be removed in 10 seconds or so. Ideally, I want this to happen:
User enters correct "user1" credentials and logs in. System flashes messages saying logout and log back with your own account. Telnet/ssh process is killed.
I got the script to kill the telnet session part as below. However, how do I make message flash for those logging in with this account? Also, how do I ensure this script is always running in background? cron every minute will do the trick or is there any other service (daemon?) which always "listens"? How do I set this up?
PID=`ps -ef |grep ssh |grep user1 | awk '{print $2}'`
for i in $PID; do echo "killing telnet session process with PID = $i";
sleep 10;
kill -9 $PID;
done
Any other more elegant solutions you can propose? Thanks for your time.
Actually I dont want to disturb password because the another app uses the same account to ftp to this server and changing password would mean changing it in multiple locations...big headache.
While I agree that the "right" way to do this would be by disabling telnet, using scp (with public key auth, likely) instead of ftp, and using DenyUser in the sshd config file, it looks like your situation won't allow that.
As far as why telnet isn't showing up as a separate process, it's likely because it's being run out of xinetd/inetd, instead of being a standalone daemon.
One way, admittedly somewhat complex, would be to write a wrapper that would then be used as this users shell - the wrapper would have to test to see if the session was being started remotely from ssh or telnet, or via sudo, or via ftp, and then do the right thing.
I've seen this done, but it's not necessarily all that easy.