[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [ot] how to create a user that can't log in?

On Sun, Jan 20, 2002 at 01:41:44AM -0600, Nathan E Norman wrote:
> Hi,
> I'm setting up a project for some friends.  I want each of them to
> have their own account, but I want the project to be hosted (and run
> under) a seperate account.  Each user should be able to su to the
> project account to restart daemons.  No user should be able to log in
> as the project user.
> How do I set this up?  Is it possible?

As was mentioned elswhere in the thread, sudo is probalby the best
solution, but if it's not possible for some reason, I'd recommend
pam_listfile or pam_wheel.

On some of my servers, I keep people out with:

auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers

in /etc/pam.d/ssh; you could use the opposite:

auth required pam_listfile.so sense=deny onerr=succeed item=user file=/etc/nologinusers

and fill /etc/nologinusers with the names of any users you don't want
logging in via ssh.

With pam_wheel, you'd create a group containing users who are (or aren't,
depending on your preference) allowed to log in, and put this in the PAM
configuration of any services offering remote login:

auth required pam_wheel.so group=shusers


auth required pam_wheel.so deny group=noshusers

Docs on the various modules are all in
/usr/share/doc/libpam-doc/txt/pam.txt.gz, if you have the libpam-doc
package installed.

William Aoki     waoki@umnh.utah.edu       /"\  ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92              \ /  No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B               X
                                           / \

Reply to: