topic prevent root login in Operating System - HP-UX

prevent root login

Fred Martin_1 — Tue, 23 May 2000 14:58:58 GMT

I'd like to prevent root login, but only from particular locations - my dialup modem and telnets from internet.

securetty (man login) provides for a list of terms where root -can- login, but I'm looking more for an exclude list.

Thanks

Re: prevent root login

melvyn burnard — Tue, 23 May 2000 15:05:51 GMT

If you create an empty /etc/securetty file, then you exclude direct root login even from hte console.
You can then login as your own uid, and do su - to get root priveleges.
If you want to ensure the console has root access, then have the only entry as console.

This excludes every other method.

Re: prevent root login

Dennis Trice — Tue, 23 May 2000 19:03:06 GMT

Create a /etc/securetty file and enter in which devices you want to lock out

Re: prevent root login

William Dy — Wed, 31 May 2000 18:10:14 GMT

Look into /var/adm/inetd.sec. This will allow you to limit access to certain IP range. I think this will fix your internet telnet problem.

Additional, to exclude the root on the dialup modem, I would suggest you add in the /etc/profile script to terminate the telnet session if it is coming from a certain tty port. Make sure that you have the trap statement as your very first command line in the /etc/profile to trap for the break signal.

Re: prevent root login

Fred Martin_1 — Tue, 13 Jun 2000 17:32:46 GMT

One problem I discovered with using /etc/profile ... I added a test to see if the user was root, and if the tty was the modem, then to logout the user if that was the case. Problem there is, if a normal user logs in on the modem tty, then su's to root (su -) the user gets logged out. Not what I wanted.

Using /etc/securetty with one line (console) turned out to be the best solution. The admins here never log in as root directly anyway - we always su from our normal accounts.

My main concern was disallowing root logins via internet telnet and the modem, and that certainly solved it.