topic Re: telnet and restricting root access in Operating System - HP-UX

telnet and restricting root access

Chelsea Matej_1 — Tue, 25 Jun 2002 14:37:35 GMT

I need to connect to one of our servers via telnet as root. HPUX 10.2 from within our network. When I try, I get the message login incorrect. After searching the archives, I found references to /etc/ftpd and modifying the files ftpaccess or ftpusers. none of these exist on this server. I was thinking that this may be the problem, however, none of our 10.2 servers have this dir or files and they work fine.

The db admin thinks that the last sys admin changed some global variable or enviroment parameter to disallow root access to telnet.

Is anyone aware of how this may be done?

Thanks. C

Re: telnet and restricting root access

Sridhar Bhaskarla — Tue, 25 Jun 2002 14:40:26 GMT

Hi,

Look at the contents of /etc/securetty file. It restricts the login for root.

-Sri

Re: telnet and restricting root access

Sanjay_6 — Tue, 25 Jun 2002 14:41:06 GMT

Hi Chelsea,

Look for the file "securetty" in /etc. If this file exist and if it has an entry console in it, you can login as root only from the console. From all other tty, you can login as some other user and then do a "su -" to go as root.

If you want to login as root using telnet, you can move this file out of the way, delete it or rename it and then do a telnet to the system as root.

Hope this helps.

Regds

Re: telnet and restricting root access

Peter Kloetgen — Tue, 25 Jun 2002 14:41:53 GMT

Hi Chelsea,

you can use SAM to find out. Go to security and then check it out for telnet service. You can disable access with a lot of services for all, for specified networks, for hosts or for users.

But remember, telnet as root is a security hole!!! Telnet service uses no data encryption so better login as normal user and then make a switch user with su- command.

Allways stay on the bright side of life!

Peter

Re: telnet and restricting root access

Duncan Edmonstone — Tue, 25 Jun 2002 14:41:54 GMT

Take a look at the file:

/etc/securetty

This contains a list of all terminals from which a user may login directly as root. Chances are it just has the word "console" in it, which means you can only log in as root from the console.

To remove this protection, delete the file (DON'T just take the console line out of the file, that will prevent login directly as root from anywhere!)

I would advise against this however... much better practice is to login as a normal user, and then use 'su -' to become root.

HTH

Duncan

Re: telnet and restricting root access

James R. Ferguson — Tue, 25 Jun 2002 14:42:44 GMT

Hi:

Check for 'etc/securetty'. If it exists this may be your problem. You would find a line:

root console

This would allow root to login to the console (only).

Regards!

...JRF...

Re: telnet and restricting root access

PIYUSH D. PATEL — Tue, 25 Jun 2002 14:44:31 GMT

Hi,

1. Check for the ipaddresses in /etc/hosts
2. Check the /etc/securetty file
3. Check the .rhosts file in the roots home directory

Piyush

Re: telnet and restricting root access

MANOJ SRIVASTAVA — Tue, 25 Jun 2002 14:49:57 GMT

Also check for /etc/shells I think that is becasue someone has defined /bin/sh there so it will say root acess denied.

just delete that file or rename it.

Manoj Srivastava

Re: telnet and restricting root access

Shahul — Tue, 25 Jun 2002 15:01:58 GMT

Hi

Are U able to login as normal user from the same machine? If yes, this can be because of /etc/securetty. Just move this file and see, whether U are able to login or not. If U are able to login as other users, but not root, then try trhis

Login as normal user, then

$su -

If U are not able to login at all from this machine, check for an entry in /var/adm/inetd.sec. Remove this and try

Best of luck
Shahul

Re: telnet and restricting root access

Chelsea Matej_1 — Tue, 25 Jun 2002 16:29:49 GMT

thanks everyone for your assistance. I think that I will leave the securetty file the way it is. then the db admin can just su -.

At least now, I know what is going on.

Chelsea

Re: telnet and restricting root access

Fred Martin_1 — Wed, 26 Jun 2002 13:31:18 GMT

I think that's wise ... if you force them to 'su' to root, then there is a log entry as to which user su'd to root, since they have to log in as themselves, first.