https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824042#M270664 Hi there --<BR /><BR />What configuration file(s) and what syntax should I use to modify in order to prevent the root user from being able to log into a system via SSH? Thanks Fri, 14 Jul 2006 15:35:27 GMT Andrew Kaplan 2006-07-14T15:35:27Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824042#M270664 Hi there --<BR /><BR />What configuration file(s) and what syntax should I use to modify in order to prevent the root user from being able to log into a system via SSH? Thanks Fri, 14 Jul 2006 15:35:27 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824042#M270664 Andrew Kaplan 2006-07-14T15:35:27Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824043#M270665 logged in as root, create a file under /etc, called securetty and insert one line in it whic says console and you are done<BR /><BR />as root, run these two commands:<BR /><BR />echo console &gt;/etc/securetty<BR />chmod 600 /etc/securetty Fri, 14 Jul 2006 15:40:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824043#M270665 Mel Burslan 2006-07-14T15:40:59Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824044#M270666 In your sshd_config a line like this:<BR /><BR />PermitRootLogin no<BR /><BR />will disallow root logins via SSH. The location of the file may vary depending on where you got your SSH from.<BR /><BR />I am using the HP distributed SSH and this file is located in /etc/opt/ssh.<BR /><BR />You will have to stop and restart SSH for this to take effect.<BR /> Fri, 14 Jul 2006 15:42:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824044#M270666 Patrick Wallek 2006-07-14T15:42:51Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824045#M270667 /etc/securetty has no effect on SSH. At least not for me. Fri, 14 Jul 2006 15:44:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824045#M270667 Patrick Wallek 2006-07-14T15:44:05Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824046#M270668 Andrew,<BR /><BR />To prevent root from logging in via ssh modify the sshd.config file and look for the PermitRootLogin line, you want to change this parameter to no.<BR /><BR />The location of the file is in /opt/ssh/etc, at the end please restart the service.<BR /><BR />Regards,<BR /><BR />Jaime.<BR /><BR /> Fri, 14 Jul 2006 15:44:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824046#M270668 Jaime Bolanos Rojas. 2006-07-14T15:44:54Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824047#M270669 Thanks for the help. I modified the sshd_config file and restarted secure shell. As long as I am asking, I would like to have the "Authorized Use" or "Unwelcome Mat" message appear when a user logs into the system by ssh. Again, what file(s) would I need to accomplish this? Thanks. Fri, 14 Jul 2006 15:51:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824047#M270669 Andrew Kaplan 2006-07-14T15:51:24Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824048#M270670 again, in the sshd_config file, uncomment the line<BR />#Banner /some/path<BR /><BR />and replace /some/path with whatever the path to the banner message you want displayed.<BR /><BR />Restart sshd and you've got it. Fri, 14 Jul 2006 16:08:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824048#M270670 Mark Fenton 2006-07-14T16:08:47Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824049#M270671 Hi<BR />The thread is quite informative but i want to dissable root login using password over ssh. I want ssh root login using public key authentication to be remain open. How to do that<BR />I have lots of scripts which calls programmes from one server to other using public key login. I cant stop those.<BR />Pls help. Sun, 23 Jul 2006 01:14:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824049#M270671 Amitava_HP-UX 2006-07-23T01:14:10Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824050#M270672 The PermitRootLogin option can be given four values. The default is "yes"; the obvious alternative "no" was already mentioned. The other values are "without-password" and "forced-commands-only". <BR />Please read "man sshd_config" for more information.<BR /><BR />The "without-password" does NOT mean root can login with no authentication at all: it means that root can use any authentication mechanism other than a password to log in. Usually this means SSH keys, but in some environments this could also mean smart card, SecurID or some other authentication system. <BR /><BR />The "forced-commands-only" is a very strict setting: it accepts SSH keys only, *and* each authorized key must have a fixed command defined for it in the root user's ~/.ssh/authorized_keys file. When a root login is made using a key, sshd does not even check what the client wanted: it runs the command specified for that key, and nothing else. When that command completes, the connection is closed. <BR /><BR />The "forced-commands-only" option might be useful if someone steals the keys you're using for automated actions with root access. In the normal situation, the thief can do *anything* to your systems; but if you're using forced commands, the damage is limited. For example, if someone steals the key used to make backups, you know the thief can steal your data (by making an "extra backup") but he/she cannot corrupt the data in your system. Sun, 23 Jul 2006 01:59:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824050#M270672 Matti_Kurkela 2006-07-23T01:59:30Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824051#M270673 hi,<BR /><BR />find your configuration for ssh config. for default, sshd_config put in /opt/ssh/etc<BR />edit line:<BR />PermitRootlogin No<BR /><BR />than restart your sshd daemon:<BR />#ps -ef|grep sshd<BR />#kill -HUP pid of sshd<BR /><BR /><BR />-yut- Sun, 23 Jul 2006 22:15:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-root-login-via-secure-shell/m-p/3824051#M270673 yulianto piyut 2006-07-23T22:15:53Z