We are writing an application (perl, mysql) that will run headless on a *nix (likely CENTOS).

How can I setup/secure the local user/password for the account 'app' (where the app will be running) so that,

• a remote ssh-login is not possible
  ssh is working, so are logins for all accounts, but I need to secure this single account
• a 'su app' works for users with existing accounts

---

What is such a setup called? I'm certainly not the first one to try this, it must be documented many times, but I fail to find the relevant search terms for Google.

---

EDIT: Solution

I added the lines:

# prevent certain users from using ssh for login
# while retaining the option to 'su username'
DenyUsers app

to /etc/ssh/sshd_config

then restartet sshd using

service sshd restart

I can now login as 'user' over ssh and 'su app' to work as app.

2 Answers

put all users into a group 'remote_users' and specify in your sshd.conf, that only users from that groups are allowed to login via ssh:

AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

7

If you are using openssh keys to login via ssh, you could simply disallow password logins for all accounts. suing would still be possible.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy