Su-only account with ssh capability and no interactive login

Hello experts,

                Is it possible to have an user account on RHEL 6.3 as a su-only account, but with ssh capability and no interactive login? Let me elaborate.

Say, we have a cluster of 5 RHEL 6.3 servers and an user account (strmadmin) on each of the server as an su-only account, meaning "strmadmin" cannot login interactively but needs to be su'ed to. Now, can we add 'ssh' capability to this account still maintaining the non-interactive login? The requirement is that the su-only account (strmadmin) should be able ssh to all the 5 servers in the cluster.

If this can be done, how can it be done?

Any help and any inputs are greatly appreciated.

TIA,
-Naveen.

Well, you could corrupt the password in /etc/shadow to prevent manual login. I'm a little unclear on whether you want the account to be able to use ssh to run something elsewhere or you want the account to be available from elsewhere to run commands locally.

If it is the former, then it will have ssh so long as it is on the path. If you want to set up some sort of service account for another server to drive work through, just set up a password-less SSH connection to this account.

Please elaborate on which of these you are wanting to do (or something else) so we can help you further. It seems like it might be a bit of both.