You're trying to "over-engineer" things. Once the user has done a
su(1) it can do everything anyway with a lot more power. So why limit the user?
Nope. To you it might be "over-engineering", but to me, it is BAU. And by limit the user, I mean unauthorized people logging into my server. I don't want the to try privilege escalations of any sort. Only if there is a way of doing that with just su. Then I will look into other methods. If I keep it simple, instead of "over-engineered", then it makes it easier for script kiddies with powerful rigs, to login to my server. Where currently, I want to SSH (with a key, no password, this is already set up) -> login account -> su root (long password, ) -> "do whatever I need to do". That is my model. If someone manages to log in, then they have to guess my password, they have 3 attempts, after the 3rd attempt, it logs the user out and locks the account for 30 minutes. I have console access to the server, in case something like this happens to manually intervene, or make an emergency change.
The only thing I want to do, is limit this one user account from doing anything else (like copying/moving files, trying to access DB's, edit config files, etc). It's sole purpose, is a login account. I am the only one logging in. It is an extra layer of security for me *Edit to add: Even the username is something very few people would be able to guess.
Thanks Juha, if I can use su as a login shell, that would be great. It limits the account from doing anything else. Can you tell me how to that exactly, that is something I haven't done before... unless I got your point all mixed up
PM me if you'd like