Home / server / Questions / 149673
Accepted
NoozNooz42
Asked: 2010-06-10 07:13:18 +0800 CST

How to prevent a user from login in, but allow "su - user" in Linux?

  • 772

How do you allow a user to log in using "su - user" but prevent the user from login in using SSH?

I tried to set the shell to /bin/false but the when I try to su it doesn't work.

Are there several ways to only allow logins by su?

Is SSH's AllowUser the way to go? (how would I do this if it's the way to go)

linux login su

11 Answers

  1. Best Answer

    You can use AllowUsers / AllowGroups if you have only a few users/groups that are allowed to login via ssh or DenyUsers / DenyGroups if you have only a few users/groups that are not allowed to login. Note that this only restricts login via ssh, other ways of login (console, ftp, ...) are still possible. You need to add these options to your /etc/ssh/sshd_config file for most ssh installations.

    If you have set the login shell to /bin/false you can use su -s /bin/bash user (replace /bin/bash with the shell of your choice)

    • 114

  2. If you still want su to work, you can use sudo -u [username] or pass -s /bin/bash to su as a temporary shell. They both do the same in absence of a shell in /etc/passwd.

    • 13

  3. If an account has no password (passwd -d username), they can't log in interactively (console, SSH, etc.). If they have a valid shell, su will still work. Note the "interactively," though; if somebody decides to set up an SSH keypair for the account, it will work!

    • 10

  4. In sshd_config add a line DenyUser [username]

    Note that this will not prevent that user from logging in via the console.

    • 3

  5. In addition to what's been mentioned above (disable and/or not setting the user password), pam_access module (look up man page on pam_access and access.conf) can be used to control login access.

    • 2

  6. as others have said;

    DenyUser username or DenyGroup groupname in sshd_config would prevent keypair/password login via ssh.

    though i usually do something like AllowGroup ssh or something along those lines, and explicitly add people who need ssh access to that group.

    then, you can do as other's have said: passwd -d username to blank out the users password, so they cannot log in at the console, or some other way. or better yet passwd -l username to 'lock' the account. it is possible ssh will deny access to a locked account, even with keys, but i'm not positive.

    • 1

  7. Knowing which mechanism is best depends on the requirements. If you know the requirements, you can choose the appropriate mechanism. All of the above answers are valid for some set of requirements.

    Do you only want to restrict SSH access? Do you need access for mail or ssh methods? Is access only from root?

    su - user will require a password for user if it is run be a user other than root. However, sudo -u user -i does not require a password for user.

    • 1

  8. As I mentioned in a comment, I think that you can still su into an account with an invalid shell. So if you set the user's shell to /dev/null or whatever the shell of bin is, you should be able to still su into that user... but any attempt to log in in any way will quit you back out...

    • 1

  9. edit /etc/shadow by adding ! to the beginning of the password hash. 

    username:!<hash>:#####:#:#####:#:::

    When securing a new install this is the first thing I do after installing sudo, so nobody is able to use the root user to login or ssh into the system, sudo users may still execute as root user.

    • 1

  10. Don't specify a password for the user not allowed to log in or delete it.

    # passwd -d myuser
    • 0