topic Re: Disallow remote root, but all ow others in Operating System - HP-UX

Disallow remote root, but all ow others

Mike_316 — Wed, 13 Feb 2002 18:25:16 GMT

Hey Folks!

I would like to configure an HPUX 10.20 box to DISallow root to remotely login via rlogin or telnet, but allow other users to remotely login and then su to root.

I would also like to allow root to log in directly from a terminal attached directly to the box, but only a text terminal, not an xterminal should one ever get attached directly to the box.)

Hope this is clear and thanks in advance!
Mike

Re: Disallow remote root, but all ow others

Ian Dennison_1 — Wed, 13 Feb 2002 18:29:07 GMT

Create an entry in the remote .rhosts file with the following,...

[hostname] -root

This should deny root rlogins, but allow 'su' once the user is logged in.

Share and Enjoy! Ian

Re: Disallow remote root, but all ow others

Mike_316 — Wed, 13 Feb 2002 18:34:42 GMT

Fantastic! I will try it...however, can wildcards be used in the .rhosts file. I don't want ANY machine to be able to remote in as root, but don't want to have to maintain a list of all the machines on the network ON all the machines on the network (all the machines need to be set to disallow this.)

Thanks again!
Mike

Re: Disallow remote root, but all ow others

Mark Greene_1 — Wed, 13 Feb 2002 18:37:13 GMT

create the file /etc/securetty and add the following:

console
tty1

and whatever hardwired tty's you have from which you want root access. Note that this does not prevent anyone who knows the root password from doing su from a remote login to get to root.

HTH
mark

Re: Disallow remote root, but all ow others

Sanjay_6 — Wed, 13 Feb 2002 18:43:07 GMT

Hi Mike,

you could look into inmplementing inetd.sec to disallow remote login using root user id,

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90685/B2355-90685_top.html&con=/hpux/onlinedocs/B2355-90685/00/00/10-con.html&toc=/hpux/onlinedocs/B2355-90685/00/00/10-toc.html&searchterms=inetd.sec&queryid=20020213-104557

Hope this helps.

Regds

Re: Disallow remote root, but all ow others

Mike_316 — Wed, 13 Feb 2002 18:46:09 GMT

Great! I will try that too...unfortunately, the .rhosts is not working to prevent remote login. I remember reading somewhere that the root user is exempt from that sort of control (I.E. Any OTHER username entered in the .rhosts with a minus sign will not be allowed remote login, but root is allowed even if it is seen in the .rhosts.)

Regardless the I tested it from a specificmachine by entering the following in the .rhosts file ...

-root

...and when I tried to rlogin and telnet from the it asked for the username and password and root was alloed to login remotely (without an su.)

By the way, it is GOOD that a user can su once in remotely, we just don't want people logging in as root from a remote session, we want them to have to login as a user first...THEN su to root.

Thanks!
Mike

Re: Disallow remote root, but all ow others

Mike_316 — Wed, 13 Feb 2002 18:53:28 GMT

Sanjay,

Thanks for the document. I had thought about the inetd.sec file, however I don;t know the syntax to disallow just root. It seems only to allow or disallow hosts, and I want users to be able to do rlogin, telnet, and remsh from all the hosts...just not root.

I am not sure how to tell it to disallow just root from all hosts.

Quite a quandry ...

Thanks!
Mike

Re: Disallow remote root, but all ow others

Ian Dennison_1 — Wed, 13 Feb 2002 18:54:17 GMT

Mike,

My apologies, I got my wires crossed while reading the original spec. I was thinking 'remsh' and 'rlogin' without a password being prompted for.

I think this is definitely a job for a package of some description. The last site I worked at disabled root from logging in on anything but the console, but I cannot remember if that stopped rlogins.

Best of luck with the solution. Ian

Re: Disallow remote root, but all ow others

Darrell Allen — Wed, 13 Feb 2002 18:57:14 GMT

Hi Mike,

/etc/securetty is THE way to go for disallowing root login from anywhere but the console and whatever other devices you want to include. Man login gives you an example.

It is a very good practice to require login as non-superuser then su to root.

Darrell

Re: Disallow remote root, but all ow others

Wodisch — Wed, 13 Feb 2002 23:15:32 GMT

Hello Mike,

if you have "dtlogin" running (i.e. CDE), then do not forget to deny "root" (or better: uid=0) in /*/dt/config/Xstartup:

...
if [ "$LOGNAME" = "root" ]
then exit 1
fi
...

where "/*/" is "/etc/" and "/usr/", of course.

HTH,
Wodisch

Re: Disallow remote root, but all ow others

Mike_316 — Wed, 13 Feb 2002 23:17:01 GMT

OK. Here's how I did it. The /etc/securetty was really the right answer. By telling the machine that the only secure terminal is the console attached to the machine, root can only directly login from there. So telnet will not allow root login (as telnet is not 'secure' according to /etc/securetty.

However, this still allowed for rlogin to work. So I used /var/adm/inetd.sec to refuse ALL rlogins by adding the line ...

login deny.

... Now NO ONE can login via an rlogin, however as remsh (rsh) are controlled by a different daemon, you can still run a remote shell, even as root.

Thanks to everytone for getting me on the right track!

Mike

Re: Disallow remote root, but all ow others

Mike_316 — Thu, 14 Feb 2002 00:16:38 GMT

Oh! Thanks for the CDE. I completely forgot.

I could not get the Xstartup file to have any effect. It did exist under /usr, but not /etc...however modifying/copying it to the specifications did not seem to have any effect on the login regardless. So, I put the script in sys.dtprofile and .dtprofile for root, and it has the desired effect.

Thanks again!
Mike

Re: Disallow remote root, but all ow others

Steven Sim Kok Leong — Thu, 14 Feb 2002 02:59:56 GMT

Hi,

>> However, this still allowed for rlogin to work. So I used /var/adm/inetd.sec to refuse ALL rlogins by adding the line ... login deny. ... Now NO ONE can login via an rlogin, however as remsh (rsh) are controlled by a different daemon, you can still run a remote shell, even as root.

If you want to block rlogin, remsh and rexec for all users, the cleaner way would be to simply comment out the following entries from /etc/inetd.conf and run inetd -c to re-read the configuration file:

Comment out these lines:

# exec
# login
# shell

Re-read configuration:

# inetd -c

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Disallow remote root, but all ow others

Darrell Allen — Thu, 14 Feb 2002 13:44:06 GMT

Hi again,

Just to followup on rlogin and /etc/securetty...

rlogin disallows root login from terminals not in /etc/securetty IF root is not set up for rlogin without a password by /.rhosts or /etc/hosts.equiv.

I tend to forget that /.rhosts and hosts.equiv get around securetty because I generally don't allow rlogin (or remsh or rexec) by removing them from inetd.conf.

Darrell

Re: Disallow remote root, but all ow others

Alex Glennie — Thu, 14 Feb 2002 13:53:29 GMT

To prevent root from logging in to CDE at any display:

Create /etc/dt/config/Xsession.d/0001.noroot (755 root sys) with the following contents:

#!/usr/bin/sh

if [ $USER = root ]; then
/usr/dt/bin/dterror.ds 'Root Access Denied\n
Login as a non-root user, \n
or as root through Command Line Login' 'title' 'OK'
exit 0
fi

To prevent root from logging in at remote displays (Xterminals, PC Xemmulators):

Create /etc/dt/config/Xsession.d/0001.noremoteroot (755 root sys) with the following contents:

#!/usr/bin/sh

if [ $USER = root ]; then
if [ ! "$DISPLAY" = "local_hostname:0.0" ] ; then
/usr/dt/bin/dterror.ds 'Remote Root Access Denied\n
Login as a non-root user,\n
or as root at the console' 'title' 'OK'
exit 0
fi
fi

With the second option, replace "local_hostname" with the short hostname of the 9000 in question.
Both of these options will present a user who attempts to login to CDE as root through the prevented means with a dialog box with the associated text. When the user clicks "OK", the login banner will reappear.

Note: The "title" argument is passed to dterror.ds as a required field, but in this case (displaying the pop-up during an attempted CDE login) there is no window manager running. The text given for title will therefor not been seen.

so depending upon who and where you want to prevent them login on you should be able to adapt this for all users too ?

ps you'd need to restart X for it to take effect !

Re: Disallow remote root, but all ow others

Darrell Allen — Thu, 14 Feb 2002 15:36:09 GMT

Learned something else. /etc/hosts.equiv is ignored if the local user is a superuser (man hosts.equiv)

Darrell