topic Re: root remote login in Operating System - HP-UX

root remote login

Terry Willmann — Tue, 24 Sep 2002 14:53:49 GMT

We can not remotely login with the root user and get error, "login incorrect". What file must be modified to allow remote login by root. Other users are able to login remotely.

Re: root remote login

John Dvorchak — Tue, 24 Sep 2002 15:01:03 GMT

The file is /etc/securetty. Either delete it or rename it. It is a text file that holds the tty names, console included, that are the only ones that root can logon from. Typically it only has "console" in it. By renaming it root can logon from anywher. Caution, this is a huge security risk. The accepted proceedure is to logon as a normal user and su - to gain root access.

Re: root remote login

Ray Brewer — Tue, 24 Sep 2002 15:03:14 GMT

If you are trying to "rlogin" the file ".rhosts" in the root users home directory on the remote system is the file that needs to be modified. You will need to put in an entry like this

root

Where is the name of the local system you are trying to log in from. Also the remote system needs to be able to resolve the local systems host name with either an entry in /etc/hosts or DNS

Ray

Re: root remote login

Darrell Allen — Tue, 24 Sep 2002 15:03:34 GMT

I heartily echo John's comments about the huge security risk of allowing root to login directly from anywhere other than the console.

Darrell

Re: root remote login

Shannon Petry — Tue, 24 Sep 2002 15:03:42 GMT

is there a file /etc/securetty?

SunOS has a default security setting that dis-allows root access, but HP-UX does not. Root access denial Im pretty sure is only controled by the securetty file.

Regards,
Shannon

Re: root remote login

Anil C. Sedha — Tue, 24 Sep 2002 15:19:23 GMT

Terry,

You can delete the /etc/securetty file as i don't believe that it is such a big risk to let root login from anywhere else apart from the console.

Most of us work on scenarios where our Datacentres host our boxes and we work remotely. I don't see any security flaw if we use root access from remote terminals so long as we hold the password securely and change it at regular intervals.

Regards,
Anil

Re: root remote login

John Dvorchak — Tue, 24 Sep 2002 15:24:37 GMT

I have to respectfuly take exception to Ray's suggestion about a .rhosts file in the root home directory. Her are a couple of points:

1. With .rhosts you have to list the systems that can gain access as root. Limiting your options to logon from anywhere.

2. With no .rhosts at least the person hacking your system has to know the root password to gain access to that system.

3. With no .rhosts and having "console" in the /etc/securetty file will force someone to logon as a normal user and then su to root allowing you to track who is doing what as root. We use this in root's .profile to track the history of the user:

REAL=`logname`
HISTFILE=.sh_$REAL
HISTSIZE=1000
export HISTFILE HISTSIZE

Re: root remote login

Terry Willmann — Tue, 24 Sep 2002 15:27:12 GMT

The /etc/securetty file is not present on the system.

Re: root remote login

Roger Baptiste — Tue, 24 Sep 2002 15:52:54 GMT

hi,

Try doing a ls /etc/securetty as *root* user , because this file normally does not have access permission to non-root users. This is confirm that the file is really there or not.

Another thing to check would be the /var/adm/syslog/syslog.log file for messages related to root loging. It should have some error message for the login of root which will give further clues on what the problem could me.

Are you able to do su as root from a normal user. Just to discount any passwd related issue!

HTH
raj

Re: root remote login

MANOJ SRIVASTAVA — Tue, 24 Sep 2002 16:10:52 GMT

Hi Terry

In the $HOME/.rhosts for the root you can try adding

IP adress root

instead of

server name root

this will solve the problem .

like

server A 10.2.10.30
server B 10.2.10.40

in .rhosts on A you should have

10.2.10.40 root

and vice versa.

Manoj Srivastava

Re: root remote login

Tom Danzig — Tue, 24 Sep 2002 16:28:46 GMT

You might also want to check in /var/adm/inetd.sec to insure there are no login restrictions for root there.

Re: root remote login

Shannon Petry — Tue, 24 Sep 2002 16:54:29 GMT

with the rlogin command, if you are not allowed to login without a password via /.rhosts or $HOME/.rhosts or ~root/.rhosts (if you changed root's home) then you should be prompted for a password.
If this "login incorrect" is coming from remsh then there is no way to fix this without adding the allowed systems into ~root/.rhosts

are you getting the error from remsh? or from rlogin?

Regards,
Shannon

Re: root remote login

Darrell Allen — Tue, 24 Sep 2002 17:11:14 GMT

Assuming you are telneting to the system...

You can get "Login incorrect" for the following reasons:

- invalid loginid
- invalid password
- superuser not allowed to login remotely because of /etc/securetty

There may be other reasons but these are the 3 I know of. Can you login as a non-superuser and then su to root?

Darrell

Re: root remote login

Deshpande Prashant — Tue, 24 Sep 2002 17:28:45 GMT

HI
Check the /var/adm/syslog/syslog.log file for the error messages related to your failed attempts with root remote logins.

It could be "root" account blocked to login directly (check such restriction in .profile, /etc/profile, inetd.sec) or the host/IP address blocked to login (in inetd.sec)

Thankc.
Prashant.

Re: root remote login

Darrell Allen — Tue, 24 Sep 2002 17:40:20 GMT

At least on 11.0, don't worry about checking /var/adm/inetd.sec. If inetd.sec is denying telnet or (r)login, you won't get to the point where you would enter a loginid or a password.

I hate to ask, but is the root password what you think it should be? Can you login and su to root? It wouldn't be the first time someone has changed the password without letting others know.

Darrell

Re: root remote login

Terry Willmann — Tue, 24 Sep 2002 17:58:39 GMT

Thank all for the help. The problem was being caused by the root password having an @ sign in it.