https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422624#M747962 Thanks again Bill.<BR /><BR />I set "PermitRootLogin" to "no" and did a "kill -SIGHUP <PID>". It doesn't allow me to ssh login as root. However, instead of a clear message, it still prompts for password. After I put in password, it keeps asking "password for root@<HOSTNAME>:" which is a bit annoying (see below).<BR /><BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> <BR /> Disconnected; protocol error (Too many authentication failures for root).<BR /><BR />As you can see, after 7 tries, it finally kicked me off.<BR /><BR />Is this the way supposed to be?<BR /><BR />Thanks,<BR />Peng</HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></PID> Mon, 15 Nov 2004 22:42:28 GMT Peng Lu 2004-11-15T22:42:28Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422619#M747957 Hi,<BR /><BR />I want to disable remote root login on HPUX 11i hosts. (only allow users login remotely as a normal user then su to root). I have created /etc/securetty file with the content "console". However, I can still remotely login as root through ssh2.<BR /><BR />Is ssh handled differently or do I need to reboot after creating /etc/securetty file?<BR /><BR />Thanks in advance.<BR />Peng Mon, 15 Nov 2004 21:49:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422619#M747957 Peng Lu 2004-11-15T21:49:05Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422620#M747958 Yes, ssh (older versions) do not use PAM for authentication. Download the latest version of OpenSSH from HP at software.hp.com. Alternatively, enable the parameter in your sshd_config file: <BR /> <BR />sshdPermitRootLogin no<BR /> <BR />NOTE: This should be mandatory on *ANY* system facing the open Internet. Over the last few months, many, many scripted attacks for ssh have been seen and root is one of several common logins being tested by hackers. Mon, 15 Nov 2004 21:54:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422620#M747958 Bill Hassell 2004-11-15T21:54:03Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422621#M747959 Almost forgot: the latest version of OpenSSH from HP is 3.71 and the item you need to turn on in sshd_config is:<BR /> <BR />UsePAM yes Mon, 15 Nov 2004 21:57:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422621#M747959 Bill Hassell 2004-11-15T21:57:02Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422622#M747960 Thanks Bill.<BR /><BR />swlist shows my ssh is the following version:<BR />"Secure_Shell A.03.71.000 HP-UX Secure Shell". And in "/opt/ssh/etc/sshd_config" file, "UsePAM" is set to "yes".<BR /><BR />Am I looking into the wrong file?<BR /><BR />Peng<BR /> Mon, 15 Nov 2004 22:15:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422622#M747960 Peng Lu 2004-11-15T22:15:10Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422623#M747961 I think I remember that /etc/securetty was hardcoded into the login program and not incorporated into PAM. You'll need to use:<BR /> <BR />PermitRootLogin no Mon, 15 Nov 2004 22:22:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422623#M747961 Bill Hassell 2004-11-15T22:22:38Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422624#M747962 Thanks again Bill.<BR /><BR />I set "PermitRootLogin" to "no" and did a "kill -SIGHUP <PID>". It doesn't allow me to ssh login as root. However, instead of a clear message, it still prompts for password. After I put in password, it keeps asking "password for root@<HOSTNAME>:" which is a bit annoying (see below).<BR /><BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> password for root@<HOSTNAME>: <BR /> <BR /> Disconnected; protocol error (Too many authentication failures for root).<BR /><BR />As you can see, after 7 tries, it finally kicked me off.<BR /><BR />Is this the way supposed to be?<BR /><BR />Thanks,<BR />Peng</HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></HOSTNAME></PID> Mon, 15 Nov 2004 22:42:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422624#M747962 Peng Lu 2004-11-15T22:42:28Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422625#M747963 <BR />Hi<BR /><BR />#echo console &gt; /etc/securettys<BR />#chmod 0744 /etc/securettys<BR /><BR />no need to reboot after creating /etc/securettys file<BR /><BR />ssh is given for security, it wouldn't allow direct root login even though /etc/securettys is not exist. Tue, 16 Nov 2004 00:31:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422625#M747963 Ravi_8 2004-11-16T00:31:53Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422626#M747964 Hi Ravi,<BR /><BR />I've already done what you said. See my previous messages.<BR /><BR />BTW, ssh does allow you login as root if you don't change configuration.<BR /><BR />Thanks anyway.<BR />Peng Tue, 16 Nov 2004 00:51:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422626#M747964 Peng Lu 2004-11-16T00:51:09Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422627#M747965 Yes, the ssh daemon does not give you a useful message and keeps denying access several times before closing the connection. The retry (in your case, 7) is set in the sshd_config file with PasswordGuesses. There are two schools of thought on error messages:<BR /> <BR />1. Provide the reason for authentication failure such as "root login is not allowed"<BR /> <BR />2. Use the same generic response for all authentication failures such as another request for the password.<BR /> <BR />In case #1, the sysadmin will know the reason without looking in syslog, but at the same time, provide the hacker with too many details. In case #2, the actual failure (root not allowed, username does not exist, password incorrect, etc) is not given, thus keeping the real reason away from the unauthenticated user. Most security people will choose less information for login attempts. Even Unix will not report whether you failed to type the username or failed to type the correct password, just "Login incorrect" Tue, 16 Nov 2004 07:31:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422627#M747965 Bill Hassell 2004-11-16T07:31:52Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422628#M747966 Thanks Bill.<BR /><BR />Looking into sshd_config file, I couldn't find "PasswordGuess" parameter though. Is this something by default no there?<BR /><BR />Peng Wed, 17 Nov 2004 18:24:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422628#M747966 Peng Lu 2004-11-17T18:24:07Z https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422629#M747967 Ooops, sorry, that is a keyword for F-Secure's ssh2 product and not part of OpenSSH (I run both products on different servers). Wed, 17 Nov 2004 21:43:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/disable-remote-root-login/m-p/3422629#M747967 Bill Hassell 2004-11-17T21:43:18Z