topic Re: Direct Root Login in Operating System - HP-UX

Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 13:06:19 GMT

Hi,

Please tell me the steps to enable direct root login access in HP Unix 11i v3.

I have made the parameter PermitRootLogin yes in /etc/opt/ssh/sshd_config file.

Have restarted the sshd also.. But still am unable to login directly with root.

Could you please help me.

Many Thanks!
Pauline

Re: Direct Root Login

Jupinder Bedi — Tue, 23 Feb 2010 13:12:02 GMT

see your /etc/securetty file . if this file exists do followuing steps

cat /etc/securetty

and see if thrd "console" is there in the file . if yes than comment out that console but this is not recommended due to security reasons because root can only login from the console. os the best practice is

login as a simple user and do su to root.

Re: Direct Root Login

Sachin Kumbla — Tue, 23 Feb 2010 13:12:05 GMT

Hi

Kindly send the o/p of ps -ef |grep -i ssh command.

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 13:13:29 GMT

Hello, Patricia

You should check your log files in order to find more informations about this issue.

Check /var/adm/syslog/syslog.conf)

Horia.

Re: Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 13:16:14 GMT

Hi,

/etc/securetty file is not available in my server.

Here is the o/p of ps -ef |grep sshd

wfapp:root-/>ps -ef |grep sshd
root 8623 1 0 Feb 22 ? 0:00 sshd: dr199476 [priv]
dr199480 14567 14565 0 18:43:25 ? 0:00 sshd: dr199480@pts/6
root 14565 8876 0 18:43:20 ? 0:00 sshd: dr199480 [priv]
root 8876 1 0 Feb 22 ? 0:00 /opt/ssh/sbin/sshd
root 14609 14581 0 18:44:16 pts/6 0:00 grep sshd
dr199476 8625 8623 0 Feb 22 ? 0:00 sshd: dr199476@pts/5
wfapp:root-/>

Re: Direct Root Login

Sachin Kumbla — Tue, 23 Feb 2010 13:18:41 GMT

Hi

you need to change the parameter

PermitRootLogin yes in the following file

/opt/ssh/etc/sshd_config.

& then restart the daemon.

Rgds.,
Sachin Kumbla

Re: Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 13:22:03 GMT

Hi,

As I mentioned earlier I have done changes in sshd_config file as well restarted the sshd daemon.

Dear Horia,

I could not find any file syslog.conf under /var/adm/syslog/ directory.

This server is hardened with Bastille Hardening Tool.

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 13:25:16 GMT

>I could not find any file syslog.conf under /var/adm/syslog/ directory.

Check /etc/syslog.conf in order to find out where the syslogd daemon writes the logs.

Horia.

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 13:27:27 GMT

>This server is hardened with Bastille Hardening Tool.

Bastille does not have any customization to disallow root logins from remote? You should check this.

Horia.

Re: Direct Root Login

Johnson Punniyalingam — Tue, 23 Feb 2010 13:59:47 GMT

Please Check "below" from my server sshd_config
try placing # in all Permit from ssh config file.

# grep -i Permit /opt/ssh/etc/sshd_config
#PermitRootLogin forced-commands-only
#PermitEmptyPasswords no
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
#PermitUserEnvironment no
#PermitTunnel no

HTH,
Johnson

Re: Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 14:03:57 GMT

I could not find any parameter in bastille configuration file that is disallowing root login.

Hoping that bastille configuration does not come into picture.

Since this server is running HP 11i v3, is there any other changes need to be done??

Re: Direct Root Login

Patrick Wallek — Tue, 23 Feb 2010 14:07:36 GMT

>> But still am unable to login directly with root.

What happens when you attempt to login as root? What command do you run? What error do you get? Commands run and actual errors received would be a very big help in trying to solve this.

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 14:11:12 GMT

Pauline, please read the paragraph below. I have extracted from:

http://docs.hp.com/en/B2355-90950/apbs01.html

"Q: Should Bastille disallow root logins from network tty's? [N] [N]

Level: Account Security

Bastille can restrict root from logging into a tty over the network.
This will force administrators to log in first as a non-root user, then
su to become root. Root logins will still be permitted on the console and
through services that do not use tty's ( e.g. HP-UX Secure Shell ).

This can stop an attacker who has only been able to steal the root password
from logging in directly to a tty. The attacker has to steal a second account's
password to make use of the root password via the network, or gain access to a
non-tty login mechanism.

MAKE SURE that you can login using a non-root account before you do this,
or you will obviously need access to the console or a non-tty remote login
mechanism, e.g. Secure Shell, to login."

Horia.

Re: Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 14:17:27 GMT

Dear Patrick,

Am just trying to login to my server via ssh through putty with root login.

Its just giving "Access Denied".

Dear Horiam

I checked this parameter in bastille configuration file.

# Q: Should Bastille disallow root logins from network TTYs? [N]
AccountSecurity.create_securetty="N"

Its not enabled..

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 14:24:49 GMT

There i sone way to actually clarify this for good:

Just enable telnet (if not allready enabled) on the server and try to actually telnet into this server from a remote location.

Also, you should try to find out if

ssh localhost

is working on the server (in order to find out if you have a global issue or only a network related problem).

Horia.

Re: Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 14:35:31 GMT

I enabled telnet. Tried to login with root via telnet ..but giving access denied.

I tried to ssh localhost...Prompted for root password.. after giving the password it says "Permission denied, please try again.
"

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 14:39:36 GMT

If you can login as a non-root user, then your problem is with security settings. Maybe Bastille is not working as expected or you have missed some settings.

Horia.

Re: Direct Root Login

Horia Chirculescu — Tue, 23 Feb 2010 14:43:31 GMT

Do you have the file:

/etc/securetty

Which is his content?

cat /etc/securetty

Horia.

Re: Direct Root Login

Pauline Patricia — Tue, 23 Feb 2010 14:45:06 GMT

No.. /etc/securetty is not available..

Re: Direct Root Login

shanmuhanandam — Thu, 25 Feb 2010 12:16:00 GMT

Hi,
login to the console and check #ssh 0 or #telnet 0. if it is not working then revert back the bastille and try it...

Thanks,
Shanmugam.B