topic Re: restricting direct root login in ssh ... in Operating System - HP-UX

restricting direct root login in ssh ...

sukumar maddela — Sat, 29 Oct 2005 05:03:55 GMT

Hai all,

In my company every one are login directly as root. i would like to restrict that direct login to root. I would like all users to login using an individual user account and then use SU as necessary.

plz prepose some solutions to this problem.

thanks and regards
sukumar

Re: restricting direct root login in ssh ...

Svetoslav Gyurov — Sat, 29 Oct 2005 05:09:20 GMT

Hi,

You can edit this file /opt/ssh/etc/sshd_config
and set parameter PermitRootLogin to no. After you restart sshd daemon (/sbin/init.d/secsh restart) no root logins would be allowed.

Best Regards,
sve

Re: restricting direct root login in ssh ...

sukumar maddela — Sat, 29 Oct 2005 05:18:09 GMT

thank you sir, its working

Re: restricting direct root login in ssh ...

Ranjith_5 — Sat, 29 Oct 2005 05:34:20 GMT

Hi Sukumar,

Can you try this method as well..

another way :-
Edit .profile of root as like these
#root.allow
user=`logname`;
sulog="/var/adm/sulog"
TTY="`tty | cut -d/ -f3`"

if [ ${user} = "root" ]
then

if [ ${TTY} != "console" ]
then
echo ":root login allowed only through console..."
exit
fi
else
grep ${user} /etc/root.allow > /dev/null 2>&1

if [ ${?} -ne 0 ]
then
echo " : ${user} is NOT ALLOWED TO LOGIN AS root"
date=`date "+%m/%d %H:%M"`
echo "ERR ${date} - ${TTY} ${user}-root" >> ${sulog}
exit
fi
fi
*****
create a file /etc/root.allow and enter user name who will allowed to do su.

But at my place I am using the method which is mentioned by Svetoslav Gyurov. But we are finding an alternative for this to restrict root login according to the PCs from where we are doing ssh to this machines. We are trying to achieving this using a script. So that only few machines will be able to use direct root logins along with the console. This will give more flexibility to us.

Regards,
Syam

Re: restricting direct root login in ssh ...

Ranjith_5 — Sat, 29 Oct 2005 05:42:10 GMT

Hi Sukumar,

The above script I got from ITRC but not tested. Best method is going ahead with the sshd_config. Please assign only zero points for my posts as your problem is already resolved. Thank you.

Regards,
Syam

Re: restricting direct root login in ssh ...

sukumar maddela — Sat, 29 Oct 2005 05:42:34 GMT

through script it is more flexible, because as root i would like to restrict oracle account also. so i think this script will work.

thank you syam.

Re: restricting direct root login in ssh ...

sukumar maddela — Sat, 29 Oct 2005 05:53:55 GMT

unknowingly i had given the points to second message of syam, sorry for that.

thanking you Svetoslav and syam.

Re: restricting direct root login in ssh ...

Ranjith_5 — Sat, 29 Oct 2005 05:56:53 GMT

Hi Sukumar,

See a thread already posted in ITRC.

there are few scripts which will help you in making your own scripts. May be some modification required but i this this will help you.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=142175

Regards,
Syam