topic Re: block telnet for root only .. in Operating System - HP-UX

block telnet for root only ..

someone_4 — Thu, 07 Feb 2002 21:51:27 GMT

Hi ..
I am trying to block telnet for root only. But I have another user with an id of 0 that needs to be able to telnet. I did /etc/securetty but that blocks everything with the uid of 0. Is there another only the user name of root form telnet?

Richard

Re: block telnet for root only ..

Michael Tully — Thu, 07 Feb 2002 21:59:16 GMT

Hi Richard,

You could try to set up a evaluation
of the user in the /etc/profile that
screens each user.

-Michael

Re: block telnet for root only ..

Patrick Wallek — Thu, 07 Feb 2002 22:01:47 GMT

Create a file called /etc/securetty and put the word 'console' (without the ' marks) in it and root will only be able to log in from the console. I don't think this will effect your other uid 0 user, but it might. Try it and see what happens.

# cat /etc/securetty
console

Re: block telnet for root only ..

someone_4 — Thu, 07 Feb 2002 22:03:27 GMT

I got this form another questoin on the forum but it was a bit too much.

if [ $LOGNAME = 'badUser' ]
then
exit 1
fi

Richard

Re: block telnet for root only ..

someone_4 — Thu, 07 Feb 2002 22:04:29 GMT

hi
yes
/etc/securetty
blocks all uids of 0.

Richard

Re: block telnet for root only ..

S.K. Chan — Thu, 07 Feb 2002 22:06:00 GMT

Use $LOGNAME to validate (if you want to go the /etc/profile route).

Re: block telnet for root only ..

Michael Tully — Thu, 07 Feb 2002 22:11:46 GMT

Hi Richard,

I should have thought of this before. I hope that this works.

Create /etc/nologin

Modify your /etc/profile with

if [ -f /etc/nologin && ${LOGNAME} != "root" ]
then
echo "Not allowed to login as UID 0"
exit 1
fi

This way you don't need to modify anything else on your system, if you want to get rid of it just remove the /etc/nologin file

HTH
-Michael

Re: block telnet for root only ..

someone_4 — Thu, 07 Feb 2002 23:08:22 GMT

how can i let console login for root only?

richard

Re: block telnet for root only ..

James R. Ferguson — Thu, 07 Feb 2002 23:20:59 GMT

Hi Richard:

Any account with a uid=0 *is* "root". It would seem that your trying to close the barn door after the horses have gotten out!

Regards!

...JRF...

Re: block telnet for root only ..

Patrick Wallek — Thu, 07 Feb 2002 23:27:30 GMT

This may seem like a silly suggestion but, why not have the pserson with the other uid 0 id telnet in with a normal, ie non uid 0, id and then su to root?

That way you can use securetty and still get access.

Re: block telnet for root only ..

Michael Tully — Fri, 08 Feb 2002 00:25:54 GMT

Hi Richard,

One further thing... Why not have everything
but the console still locked down with /etc/securetty
and....set up sudo, so that you can control what user uses what. I'm not sure of the reasoning as to why you want a second account using the uid of 0.

-Michael

Re: block telnet for root only ..

Bill Hassell — Fri, 08 Feb 2002 00:33:02 GMT

Just a note abnout security and stability: multiple UID 0 users is a really bad idea. The alternate root user(s) will make a mistake sometime as an ordinary user. Root's capability is far too powerful to use as a casual login. If the user(s) leaves the company and you remove all the files owned by this user...goodbye computer.

Instead, assign root privileges explcitly by usinge SAM -r (restricted SAM) or by getting a copy of sudo.