How to prevent end users from logging in directly with service accounts to RHEL VMs?

Latest response

Have users that continue to log in directly as service accounts to RHEL VMs, makes it hard to track who is doing what.

Is there a way to prevent end users from logging in directly as a service account. Force them to login first and then they can escalate to the service account?

Responses

You could do this by using pam_access.so in the relevant configuration files in /etc/pam.d and setting access rules in /etc/security/access.conf.

You could add a script in /etc/profile.d that would compare the ID against a list of known service accounts and then immediately log them off if a match is found.

I think the easiest and most straight forward would be to modify /etc/passwd with /sbin/nologin for the shell, that way they are forced to log in with their user account and from there can sudo to the service account.

Add entry into /etc/ssh/sshd_config and restart sshd daemon so that account can be active inside the OS for running services and cron jobs etc,

DenyUsers

To add a little more detail to clarify this response. For this approach do something like the following:

Create a new group called sshdeny

Edit the /etc/ssh/sshd_config file and at/near the bottom but BEFORE any 'Match' statements you might have add:

DenyGroups sshdeny

Next restart sshd

Add the role accounts you do not want to login directly via ssh to the sshdeny group. SSH logins should now fail for those accounts.