https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459158#M209792 Hi Stefano,<BR /><BR />For root it is easy.<BR /><BR />Create a file called /etc/securrety<BR /># echo console &gt; /etc/securetty<BR /># chmod 400 /etc/securrety<BR /><BR /><A href="http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html" target="_blank">http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html</A><BR /><BR />Best regards,<BR />Robert-Jan Mon, 10 Jan 2005 04:50:02 GMT Robert-Jan Goossens 2005-01-10T04:50:02Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459157#M209791 Hi everybody, <BR />I need to deny a direct access of some users (root, oracle) via telnet, force them to login as different user and using su. <BR />Logins are not restricted to specific hosts.<BR /><BR />Any suggest?<BR /><BR />thanks.<BR /><BR />s.<BR /><BR /> Mon, 10 Jan 2005 04:42:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459157#M209791 Stefano_65 2005-01-10T04:42:52Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459158#M209792 Hi Stefano,<BR /><BR />For root it is easy.<BR /><BR />Create a file called /etc/securrety<BR /># echo console &gt; /etc/securetty<BR /># chmod 400 /etc/securrety<BR /><BR /><A href="http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html" target="_blank">http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html</A><BR /><BR />Best regards,<BR />Robert-Jan Mon, 10 Jan 2005 04:50:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459158#M209792 Robert-Jan Goossens 2005-01-10T04:50:02Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459159#M209793 Ok for root access. <BR />Now, I'va a new question: I want to allow su - root only for some users.. Can I do this?<BR /><BR />Thanks again!<BR /><BR />s. Mon, 10 Jan 2005 05:22:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459159#M209793 Stefano_65 2005-01-10T05:22:04Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459160#M209794 When using su, user displayed by "who -m" is always the user who first issued telnet to the host. You can then in root's .profile get result of this command and compare to a valid user list (only readable and writable by root).<BR /><BR />Regards,<BR /><BR />Fred<BR /> Mon, 10 Jan 2005 05:37:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459160#M209794 Fred Ruffet 2005-01-10T05:37:08Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459161#M209795 Hi Stefano,<BR /><BR />Check this doc.<BR /><BR />How can one keep users from running the su(1) command, yet still allow<BR />a couple of users to be able to do this?<BR />RESOLUTION<BR />This feature is available via the SU_ROOT_GROUP parameter on HP-UX 11.11<BR />and HP-UX 11.00 with the following patch installed:<BR /><BR />PHCO_15232 s700_800 11.00 su(1) cumulative patch<BR />The current version is PHCO_16127.<BR /><BR /><A href="http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&amp;docId=200000076457542" target="_blank">http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&amp;docId=200000076457542</A><BR /><BR />Hope this helps,<BR />Robert-Jan Mon, 10 Jan 2005 05:41:48 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459161#M209795 Robert-Jan Goossens 2005-01-10T05:41:48Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459162#M209796 Yes you can restrict 'su' for certain users<BR />by specifying in<BR /><BR />/etc/default/security<BR /><BR />man security shows:<BR /><BR /> SU_ROOT_GROUP<BR /><BR /> This parameter defines the root group name for the su<BR /> command. Refer to su(1).<BR /><BR /> SU_ROOT_GROUP=group_name The root group name is set to<BR /> the specified symbolic group name. The su command<BR /> enforces the restriction that a non-superuser must be a<BR /> member of the specified root group to be allowed to su<BR /> to root. This does not alter password checking.<BR /><BR /> Default value: If this parameter is not defined or if<BR /> it is commented out, there is no default value. In<BR /> this case, a non superuser is allowed to su to root<BR /> without being bound by root group restrictions.<BR /><BR /><BR />Hope this helps<BR /><BR />--<BR />M<BR /><BR /> Mon, 10 Jan 2005 05:45:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459162#M209796 Michael Selvesteen_2 2005-01-10T05:45:24Z https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459163#M209797 thanks everybody! Mon, 10 Jan 2005 05:48:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/telnet-and-root/m-p/3459163#M209797 Stefano_65 2005-01-10T05:48:25Z