My Linux has many not-human users like cron
, ntp
, daemon
, http
, etc. I want to disable anybody to login as any of this users. Real people on my machine are root and me, so only root and me should be able to login.
For not-human users in the /etc/passwd
file /bin/false
defined as shell, but I have read it doesn't protect for login via SSH, for example.
passwd -l
doesn't protect for login via SSH too (as the man says).
Is there solution at all?
Best Answer
System accounts should already be locked, by setting their password hash to an invalid one (I see
x
and!
in my/etc/shadow
). The only ways to get into their accounts without a password (as far as I know) are ssh with keypair auth (impossible unless someone with write permissions in their home directory put a public key in their~/.ssh/authorized_keys
), you can use Alex'sAllowUsers
configuration to prevent that remote possibility; and usingsu
as root to get a shell as them. This possibility is impossible to prevent if anyone has access to root power. But if they do have root permissions,su
ing to a daemon account is the last thing you need to worry about.