topic Re: Disable root telnet in Operating System - HP-UX

Disable root telnet

Raghuram Ollakal_1 — Wed, 30 Apr 2003 12:50:30 GMT

I would like to know is there a way in HPUX you can disable root to telnet to the server. I know sun solaris under " /etc/default/login" you can block root telnet to the server.

Re: Disable root telnet

John Poff — Wed, 30 Apr 2003 12:52:13 GMT

Hi,

You can put an entry in the /etc/securetty file so that root can only login at the console. Everybody else will have to login under another account and su to root. Just put this:

console

in /etc/securetty and you'll be set.

JP

Re: Disable root telnet

Raghuram Ollakal_1 — Wed, 30 Apr 2003 13:29:16 GMT

I was not able to see a file " etc/securitty" on my server. even I did a " find / - name securitty -print" comes up empty. Could you check and make sure that is the right file, please.

Re: Disable root telnet

John Poff — Wed, 30 Apr 2003 13:32:20 GMT

Sorry. My explanation wasn't real clear. You might not have an /etc/securetty file on your system. The file isn't there by default. You can just create one and just put the word 'console' in it to restrict root logins to the console.

Take a look at 'man login' and it will explain a little more about the securetty file.

JP

Re: Disable root telnet

Michael Steele_2 — Wed, 30 Apr 2003 13:35:14 GMT

As Mr. Poff stated, use /etc/securetty. If not present, make one.

vi /etc/securetty
console

chmod 440 /etc/securetty (* make it read only *)

From the man page for 'login':

"...If the /etc/securetty file is present, login security is in effect, i.e., root is allowed to log in successfully only on the ttys listed in this file. Restricted ttys are listed by device name, one per line. Valid tty names are dependent on the installation. An example is

console..."

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B9106-90007/B9106-90007_top.html&con=/hpux/onlinedocs/B9106-90007/00/01/177-con.html&toc=/hpux/onlinedocs/B9106-90007/00/01/177-toc.html&searchterms=login%7c/etc/securetty&queryid=20030430-083357

Re: Disable root telnet

John Poff — Wed, 30 Apr 2003 13:35:33 GMT

Also, it might just be a typo, but in your post you spelled it "securitty" instead of "securetty".

JP

Re: Disable root telnet

Uday_S_Ankolekar — Wed, 30 Apr 2003 13:40:26 GMT

create a file in /etc called "securetty"
and put an entry called "console"

This will allow root access only from console and rest all the telnet sessions need to login as own user id then do a su to access superuser

-USA..