Unable to Disable LOCAL user login

I am trying to configure a user account that is a group account so that it cannot be logged into directly from anywhere, but that it may still be available (not locked) in console using su. The reasoning behind this is for the purpose of auditing and user accountability. If many people share an account and they can login directly, then I cannot trace potential malicious attacks. On the other hand, if I have a user login as themselves then su to this account then there is accountability. It is the same as having root login disabled for the same reason. I am using OpenSuSE 11.0 and I have tried to configure the /etc/security/access.conf file to disable the login, but it has not worked at all. I entered “- : ops : LOCAL” and I see no results. Am I missing a step in activating the access.conf file? Any help will be greatly appreciated as I have researched this issue for hours.


Here is my example to modify permission for user nologin:



Thanks for the reply. I have already used the /bin/nologin and /bin/false options in the passwd file, but those disable konsole use rendering the user account useless. I still want full access to the account. I just want to disable logins of all types, thereby forcing users to login as themselves and su to the account. I know this is a common practice for root, and I know how to setup this option for root, but I am having trouble getting it to work for a non-root user without fully disabling the account. I was also curious if there was a way to configure PAM to handle this task. Thanks again for the help.


We found a fix for this issues. To disable a particular user/users from logging in locally or from say a particular external IP you setup PAM to control this. You add the line “account required pam_access.so” to /etc/pam.d/xdm. Then you tell pam which users to disallow in /etc/security/access.conf by using the syntax + or - (for enable or disable) then the user, then which host to disable or enable login access from. Example: -:jon: to disable jon from logging in from this IP address. For my situation we used -:lynn:LOCAL which disallows local logins. You can also use the trigger ALL to disable this user from logging in from anywhere. With this method the user is still accessible using su but not by direct login.