Re: [ot] how to create a user that can't log in?
On Sun, Jan 20, 2002 at 01:41:44AM -0600, Nathan E Norman wrote:
> Hi,
>
> I'm setting up a project for some friends. I want each of them to
> have their own account, but I want the project to be hosted (and run
> under) a seperate account. Each user should be able to su to the
> project account to restart daemons. No user should be able to log in
> as the project user.
>
> How do I set this up? Is it possible?
As was mentioned elswhere in the thread, sudo is probalby the best
solution, but if it's not possible for some reason, I'd recommend
pam_listfile or pam_wheel.
On some of my servers, I keep people out with:
auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers
in /etc/pam.d/ssh; you could use the opposite:
auth required pam_listfile.so sense=deny onerr=succeed item=user file=/etc/nologinusers
and fill /etc/nologinusers with the names of any users you don't want
logging in via ssh.
With pam_wheel, you'd create a group containing users who are (or aren't,
depending on your preference) allowed to log in, and put this in the PAM
configuration of any services offering remote login:
auth required pam_wheel.so group=shusers
or
auth required pam_wheel.so deny group=noshusers
Docs on the various modules are all in
/usr/share/doc/libpam-doc/txt/pam.txt.gz, if you have the libpam-doc
package installed.
--
William Aoki waoki@umnh.utah.edu /"\ ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B X
/ \
Reply to: