Disabling network login for an ID such that you can only su to a given non-root account

This is for Linux systems; HP-UX may or may not work similarly.

For some 'system' IDs, such as oracle or applmgr, it may be desirable to prevent the ID from being used for a network login, allowing access to it only via su -, as can be done for root. Since we only use ssh anymore, locking out network access for a given ID is done via the sshd pam module, /etc/pam.d/sshd. Add the following line to /etc/pam.d/sshd:

account required /lib/security/pam_access.so accessfile=/etc/security/access.conf

Then, add the user ID to /etc/security/access.conf. In this example, the user ID is bogus1:


The access.conf file is pretty well documented, but what the above statement says is take away all access privileges for the bogus1 ID. Since the only PAM module pointing to access.conf is sshd, it will only affect the sshd daemon at login; it won't, for example, prevent this ID from being used at the console, since sshd isn't used then.

See this for a bit more information.