interaction with su-only accounts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
To increase security, my company has turned off r-commands, telnet,
FTP, etc., and only allows connections via 'ssh' and copying between
machines with 'scp' or 'sftp'.

To increase accountability, my company is looking into converting
generic or application IDs into "su-only" IDs. By this, I mean a user
will be required to log in as himself, and then 'su' over to the
desired appID; he won't be able to log in directly to the box as the
appID. This allows individual users logins to be tracked, and also
changing to appIDs will be logged when they 'su' to the appID.

The issue is that for when attempting to ssh/scp *to* this
"locked-down" machine as the appID, e.g. "scp
appID@remoteHost:hello.txt .", the locked-down machine will not allow
the scp/ssh access. I don't want to *log in* as the appID, but merely
use its credentials to grab a file or run a script.

Is there a way to be able to allow these types of remote accesses
(ssh/scp) but still restrict users from logging into the remote
machine as the appID.

I've not had good luck searching Google for someone with similar

Re: interaction with su-only accounts

Quoted text here. Click to load it

Is this going to be accompanied by rigorous inventory of setuid
programs, cron jobs, listening ports etc etc ?  

Elvis Notargiacomo  master AT barefaced DOT cheek /

Re: interaction with su-only accounts (all mail refused) wrote in message
Quoted text here. Click to load it

Although I'm not part of the UNIX team which will be in charge of
this, but knowing their attention to detail, I would say "yes". How
rigorous it will be, I can't say for certain.

Re: interaction with su-only accounts (Jeff Smith) said:
Quoted text here. Click to load it


Recommend investigating "sudo" for a while. This might take you even
further to the direction you (or the company, at least) want to go.

Quoted text here. Click to load it

Hmm.. running a script/command actually starts to be so close as to be
indistinguishable from logging in -- at least if you don't place any
specific restrictions on which commands are allowed. As for restricting
accounts to scp/sftp, there are some resources on Google, but it is
hellishly hard to really get correct (partly because sshd is so strict -
and rightly so- on file permissions).

As for the latter, try searching the Google with '"sftp only" account'.
This seems to provide some answers.
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: interaction with su-only accounts

    JL> Recommend investigating "sudo" for a while.

Exactly -- configure sudo to allow users access to the appropriate other
accounts/programs without repeated authentication (NOPASSWD option).  They
can then do "ssh user@host sudo appID <command>..."

  Richard Silverman

Site Timeline