topic Re: SSH root login in Operating System - HP-UX

SSH root login

enrico.nic — Mon, 24 Jan 2005 12:51:23 GMT

Hi

Having noticed that recent many logon attempts as root through SSH came on my server, I just wanted to ask for 2 questions:
- after an account (root, in this case) has been locked out (for too many attempts) is it possible to re-enable it from the command line ? Maybe with sudo ?
- I tried to inhibit root logons via SSH, adding a "deny file" to the sshd daemon. This works in general (even with the right password you cannot logon), but does not inhibit the registration mechanism of the accesses: that is, after n logon attempts (3 in my case) the user is definitely locked out from the machine. Is there a better mechanism ? Maybe /etc/securetty ?

Thank you

-- Enrico

Re: SSH root login

Florian Heigl (new acc) — Mon, 24 Jan 2005 12:55:20 GMT

Set PermitRootLogin No in /etc/ssh/sshd_config and better also have a /etc/securetty around.

honestly I never had to re-enable a locked account, I guess simply doing a passwd will do, but You will have to do it at the console.

Re: SSH root login

enrico.nic — Mon, 24 Jan 2005 13:03:09 GMT

Sorry I forgot to mention that I would preferably re-enable the account from remote, without accessing the console.
Thank you

Re: SSH root login

Rick Garland — Mon, 24 Jan 2005 13:06:51 GMT

To reenable the root account after being locked out from too many login attempts, do so from the console.

If you already have a window open with the root account active, can do so via SAM

Re: SSH root login

Steven E. Protter — Mon, 24 Jan 2005 13:39:41 GMT

Root account can be enabled two ways:

console login.

/usr/lbin/modprpw -l -k root

How to do the second is rough unless you have a session already logged in.

You can also boot single user mode and reset the passwrd portion of /etc/passwd or /etc/shadow for shadow systems or /tcb/files/auth/r/root

SEP

Re: SSH root login

Jitao Yin_2 — Mon, 24 Jan 2005 13:43:59 GMT

To see if you are locked out, enter this command from a console or a terminal:

/usr/lbin/getprpw -m lockout "username"
any non-zero return indicates lockout.

To clear the lock:

/usr/lbin/modprpw -k "username"

Jitao Yin

Re: SSH root login

Bill Hassell — Mon, 24 Jan 2005 16:04:26 GMT

As most sysadmins have found out, any Unix box that is running SSH and also connectred to the open Internet (or their firewall permits SSH passthrough) has been regularly attacked from kiddie scripts run in Asia and also from Europe. root login via SSH should ALWAYS be disabled, especially if the systems have incoming Internet connections (look at syslog for sshd reporting DNS problems). The modprpw command will re-enable root but only when you are already a root user. This is where sudo is quite useful. /etc/securetty should also exist like this:

echo console > /etc/securetty

Now, telnet and terminals or modems on serial lines cannot login as root. NOTE: remsh and rexec, etc still work OK and could be used to run modprpw. Note that modprpw is located in a special place:

rexec snoopy /usr/lbin/modprpw -k root