topic Re: Root access across the network in Operating System - HP-UX

Root access across the network

Roxworth Cornette — Wed, 15 May 2002 12:07:33 GMT

I have a few HPUX workstations that i need to access from one that i do my administration on. My problem is that root on my machine does not have exclusive access on another machine to do certain things even though all of the workstations have the same root password. I am running NIS. Is there something that i can do that will allow the other workstations to know that root on my workstation is the same as root on their workstations?

Re: Root access across the network

Pete Randall — Wed, 15 May 2002 12:08:56 GMT

You need to have .rhosts set up on each machine.

HTH,
Pete

Re: Root access across the network

Sukant Naik — Wed, 15 May 2002 12:12:12 GMT

Hi,

Few options

1. create an .rhosts file in the root's home directory on each of the server with the following entries

server1 root
server2 root
server3 root

Then you can do rlogin to any of the servers without entering the password.

Re: Root access across the network

Sukant Naik — Wed, 15 May 2002 12:18:57 GMT

Hi Roxworth,

Sorry I pressed submit by mistake. The earlier posting of mine was not complete.

> Is there something that i can do that will allow the other workstations to know that root on my workstation is the same as root on their workstations?

You can change the following passwd entry in the /etc/nsswitch.conf file of your servers

passwd: nis files

This means that the system will check the NIS server for the root user and then the local passwd file and you will have only one password for root across all your servers in the NIS domain.

I feel there are issues with this, which I want our other forum members to also contribute.
( Like what happens the NIS server is down )

-Sukant

Re: Root access across the network

PIYUSH D. PATEL — Wed, 15 May 2002 12:23:57 GMT

Hi,

You can try want Sukant told.

If your NIS server fails then you do have a problem. You can also create a NIS slave server which will contain the backup map files.

Regards,
Piyush

Re: Root access across the network

Jeff Schussele — Wed, 15 May 2002 12:32:44 GMT

One issue that should be addressed is that root telnet access be disallowed from non-console ttys. This is a high security risk if allowed to happen.
It can be prevented by creating a file
/etc/securetty
that contains the string console
File should have only root write perms.
If users need root telnet access they should login with their normal UIDs & su up to root.
Note this will NOT prevent rpc access i.e. rlogin, remsh, etc. Will ONLY prevent root telnet access from anywhere EXCEPT the console.

The other is that any .rhosts files should ONLY have user read/write perms - 0600 perms in octal. AND the user's home dir should have write restricted perms such that no other user could write a new .rhosts file into it.

Even such using .rhosts & hosts.equiv still present a significant security risk & perms on the above files should be closely watched.

Rgds,
Jeff