I don't think you can do this and still allow access via "su", but I know you can do it and allow access via "sudo". sudo is better for what you want anyway, IMHO.
(1) Create a "passwordless account". Thus, nobody can login to the account directly. This example creates a group "gengroup" and then a userid of "general" that is in this newly created group "gengroup". HOME directory of /home/general, default shell of /bin/bash. Note: there is no -p option given to useradd, so the login is created in a disabled state.
Code:
$ su
# groupadd gengroup
# useradd \
-c "General login" \
-d /home/general \
-m \
-g gengroup \
-s /bin/bash
general
#
(2) Allow existing userid "fred" sudo access to the new login "general".
Code:
$ su
# sudoedit /etc/sudoers
add the following line: "fred ALL = /usr/bin/su general"
#
Userid "fred" can now access "general" like this:
Code:
$ whoami
fred
$ sudo su - general
$ whoami
general
$
Fred will be prompted for a password - the password entered needs to be fred's, not general's (since general does not even HAVE a password!)
If you want fred to be able to access general WITHOUT entering any passwords, change the /etc/sudoers file entry like this:
Code:
$ su
# sudoedit /etc/sudoers
change that previously created line to: "fred ALL = NOPASSWD: /usr/bin/su general"