topic Re: ServiceGuard and denying Root-Login through /etc/securetty in Operating System - HP-UX

ServiceGuard and denying Root-Login through /etc/securetty

Oliver Charni — Fri, 10 Mar 2006 05:55:02 GMT

Got a rather basic question regarding the use of /etc/securetty to deny root-Logins in Combination with ServiceGuard Cluster.
We have a 6 Node Cluster that still uses rlogin/rsc/rexec at the moment.
Thing one is that we want to change this to SSH. I understand this is done by setting Parameters in the Clusterconfig and restarting the Cluster.
Thing two is that we want do disable root-Logins by putting console in /etc/securetty.

Question is, will putting console in /etc/securetty affect the Cluster Funcionality once we changed it to SSH ? Im not entirely familir to how the Cluster uses Remote-Logins thus the Question here.

Re: ServiceGuard and denying Root-Login through /etc/securetty

Steven E. Protter — Fri, 10 Mar 2006 05:59:00 GMT

Shalom Oliver,

SG has a nodelist function that replaces rsh for access. As far as I knew SG did not depend on ssh.

For ssh you could exchange public keys and that would probably help with remote login issues. Exchanging public keys is better than changing securetty in this situation.

SEP

Re: ServiceGuard and denying Root-Login through /etc/securetty

RAC_1 — Fri, 10 Mar 2006 06:08:54 GMT

What version of SG?? with latest versions of SG, you need .rhosts/cmclnodelist files only at the time of forming a cluster. Later, you can configure access policies in packages/cluster config files.

It has nothing to do with /etc/securetty, and also you can not use ssh.

Re: ServiceGuard and denying Root-Login through /etc/securetty

rariasn — Fri, 10 Mar 2006 06:21:42 GMT

Hi Oliver;

My /etc/securetty:

console

In cluster_configuration_file:

USER_NAME user_operator
USER_HOST CLUSTER_MEMBER_NODE
USER_ROLE pkg_admin

I not defined root user, and all ok.

for remote root commands, I use "ssh"

ran

Re: ServiceGuard and denying Root-Login through /etc/securetty

Oliver Charni — Fri, 10 Mar 2006 06:24:46 GMT

SG Version is 11.14.
I can only remember from installing one SG Cluster a while back that it needed the .rhosts Entries but i wasnt really sure how the Cluster uses that during normal Operations.

Ive looked through the ServiceGuard Security Files Document now and the Access Policies are described there. Basically on a User and Host Basis.

In any Case i still need to put console in /etc/securetty. Thing is the somewhat weird requirements for those systems as R-Services and Telnet need to be active and we just wanna make sure that root cannot login through those. The only concern was that the Cluster might not work properly once we make the changes.

Re: ServiceGuard and denying Root-Login through /etc/securetty

rariasn — Mon, 13 Mar 2006 02:58:16 GMT

# ll /etc/cmcluster/cmclnodelist
-rw-r----- 1 root sys 410 Oct 4 2004 cmclnodelist

# cat /etc/cmcluster/cmclnodelist

node1 root
node2 root
...
node1 operator_user
node2 operador_user

Copy file "cmclnodelist" to node1 and node2

ran