topic Re: /etc/securetty problem. in Operating System - HP-UX

/etc/securetty problem.

yank — Mon, 10 Feb 2003 09:52:58 GMT

Hi!

I try to define connection to HP712 station by user root only (there are many users defined in the station). I added file /etc/securetty and it's looks:
cat /etc/securetty
console
ttyp1
ttyp2
But, when I try login to the station (by rlogin command) form other host and by user that not a root, I succeded. What Is my error?
May be file permission?

I'll be really greatful for any advice.

Thank you.

Re: /etc/securetty problem.

Clemens van Everdingen — Mon, 10 Feb 2003 09:58:36 GMT

Hi,

The securetty file means that user root is only allowed to login on the console and other defined tty ports.

If a user does a rlogin form another system it is of course allowed to login, since the user is defined on the workstation !

So if you will deny users login to the system, you will have to remove them from the password file.

C.

Re: /etc/securetty problem.

Christian Gebhardt — Mon, 10 Feb 2003 10:11:16 GMT

Hi

to prevent login you can use a tcpwrapper, there are many postings in this forum.

Another good idea is using ssh and forbid any other access in /etc/inetd.conf

Chris

Re: /etc/securetty problem.

Ravi_8 — Mon, 10 Feb 2003 10:11:38 GMT

Hi,

If /etc/securitty is defined only the root is allowed to login as root from the console and from no where else.
rlogin uses the .rhosts and hosts.equiv files and not the /etc/securetty

Re: /etc/securetty problem.

Robert-Jan Goossens — Mon, 10 Feb 2003 10:11:49 GMT

Hi,

think this link will help you,

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x59d7cdec06f1d61190050090279cd0f9,00.html

Kind regards,

Robert-Jan.

Re: /etc/securetty problem.

yank — Mon, 10 Feb 2003 10:54:17 GMT

Thank you for the answers.

But, it not really helps me.
I try to explain by other way.
I have a modem, that connected to the station.
And I want, that only user root can login through the modem. So, I wanted, to do it by /etc/securetty file. As I understood, I can't do it. So what the right solution (I can't delete other users from the station), but access through the modem should be only for root.

Thank you for your time.

Re: /etc/securetty problem.

Clemens van Everdingen — Mon, 10 Feb 2003 12:12:21 GMT

Hi,

I could not test this idea at the moment, but it might work !

You could try to do a chmod 600 on the device file of the tty used by the modem !?
Of course check if root is the owner in this case.

C.

Re: /etc/securetty problem.

Frank Slootweg — Mon, 10 Feb 2003 15:14:56 GMT

In /etc/profile, you can test if the output of tty(1) is the tty device file of the modem. If it is, you can test if $LOGNAME is root. If so, you continue. If not you do an exit.

Be careful when testing this, because if you make an error, you can lock out everybody this way, including root. Make sure that during testing root is logged in on another terminal, so you can fix things if they go wrong.

If any user has a C-shell in /etc/passwd, you will have to make similar modifications to /etc/csh.login.

Re: /etc/securetty problem.

Chris Wong — Mon, 10 Feb 2003 17:20:20 GMT

There are only 2 things I can think of:
1). Use a dialup password (which can be used on any tty actually). Put the device file name in /etc/dialups. Next, create a password for the shell that root uses and place this in /etc/d_passwd:
/sbin/sh:3VRzvUkI8WwSs:

This should NOT be root's password, but a separate password used just for the modem.

login: root
Password:
Dialup Password:

Does this prevent other users from logging on? No, you must create another entry for every kind of shell in the /etc/d_passwd. Obviously, don't give this password to them and they won't be able to logon. If their shell is not in this file, they just have to hit "enter" at the Dialup Password prompt to get in.

The other alternative is to use the Trusted System "restrict terminal by user" feature. Edit the /tcb/files/devassign file (v_users=root) or in SAM under Peripheral Devices, Terminal & Modems, Select Device, Action - Modify Authorized Users.

- Chris

Re: /etc/securetty problem.

Frank Slootweg — Tue, 11 Feb 2003 08:13:35 GMT

Thanks, Chris!

Forgot all about dialup passwords. They are hardly ever used in this day and age and were hardly ever used in the good old days, but are still a useful feature of UNIX/HP-UX. Thanks for the pointer.

The, very limited, documentation is in the dialups(4) ("man dialups") manual page.

[Please no (0 or N/A) points for this response.]

Re: /etc/securetty problem.

yank — Tue, 11 Feb 2003 10:59:18 GMT

Thank you very much for all supporters!

I used the Chris's solution:
/etc/d_passwd
/etc/dialups.

That works excellent!

Best regards.