https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731345#M6058 I can add ptys entry on /etc/securettys but this allows ssh and telnet to login as root. <BR /><BR />I also tried to set PermitRootLogin to yes on /usr/local/etc/sshd_config but I'm still not able to ssh as root. I have tried to restart sshd after changing PermitRootLogin to yes but it does not help.<BR /><BR />Below verifies that I am using the right config file for sshd. <BR /><BR />--&gt; /usr/local/sbin/sshd -? <BR />sshd: illegal option -- ?<BR />sshd version OpenSSH_3.7.1p2<BR />Usage: sshd [options]<BR />Options:<BR /> -f file Configuration file (default /usr/local/etc/sshd_config)<BR /><BR />I got the following error when connecting through ssh as root<BR /><BR />phxwa11# ssh adtdb031n1<BR />Not authorized for terminal access -- see System Administrator.<BR /><BR />Connection to adtdb031n1 closed.<BR /><BR />/var/adm/syslog.dated/current/auth.log shows the following<BR /><BR />Feb 14 12:24:38 adtdb031n1 sshd[979747]: Accepted publickey for root from 10.40.<BR />248.36 port 45858 ssh2<BR />Feb 14 12:24:38 adtdb031n1 sshd[979774]: ROOT LOGIN REFUSED /dev/pts/7<BR />Feb 14 12:24:38 adtdb031n1 sshd[979774]: fatal: Couldn't establish session for r<BR />oot from phxwa11.firsthealth.com Tue, 14 Feb 2006 14:32:33 GMT Hong Liao_1 2006-02-14T14:32:33Z https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731345#M6058 I can add ptys entry on /etc/securettys but this allows ssh and telnet to login as root. <BR /><BR />I also tried to set PermitRootLogin to yes on /usr/local/etc/sshd_config but I'm still not able to ssh as root. I have tried to restart sshd after changing PermitRootLogin to yes but it does not help.<BR /><BR />Below verifies that I am using the right config file for sshd. <BR /><BR />--&gt; /usr/local/sbin/sshd -? <BR />sshd: illegal option -- ?<BR />sshd version OpenSSH_3.7.1p2<BR />Usage: sshd [options]<BR />Options:<BR /> -f file Configuration file (default /usr/local/etc/sshd_config)<BR /><BR />I got the following error when connecting through ssh as root<BR /><BR />phxwa11# ssh adtdb031n1<BR />Not authorized for terminal access -- see System Administrator.<BR /><BR />Connection to adtdb031n1 closed.<BR /><BR />/var/adm/syslog.dated/current/auth.log shows the following<BR /><BR />Feb 14 12:24:38 adtdb031n1 sshd[979747]: Accepted publickey for root from 10.40.<BR />248.36 port 45858 ssh2<BR />Feb 14 12:24:38 adtdb031n1 sshd[979774]: ROOT LOGIN REFUSED /dev/pts/7<BR />Feb 14 12:24:38 adtdb031n1 sshd[979774]: fatal: Couldn't establish session for r<BR />oot from phxwa11.firsthealth.com Tue, 14 Feb 2006 14:32:33 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731345#M6058 Hong Liao_1 2006-02-14T14:32:33Z https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731346#M6059 Root login is not recommended either by telnet or ssh.<BR /><BR />To disable root access by telnet, remove the ptys entry from /etc/securettys. You should also disable the telnet service from /etc/inetd.conf.<BR /><BR />The configuration file for SSH is /etc/ssh2/sshd2_config. There is where you need to enable PermitRootLogin. As far I know, the securettys file does not have influence in root access through SSH (I don't have ptys on my system). Tue, 14 Feb 2006 14:53:22 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731346#M6059 Ivan Ferreira 2006-02-14T14:53:22Z https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731347#M6060 Both /usr/local/etc/sshd_config and /etc/ssh2/sshd2_config PermitRootLogin are set to Yes. <BR /><BR />ptys is not currently added on /etc/securettys because we don't want telnet to login directly as root. We can disable telnet later by removing it entry from /etc/inetd.conf. Right now we only need to allow ssh to login as root. Currently we were able to run a command through ssh as root without any issue and ssh does not prompt for password since we configure ssh to allow root without password. <BR /><BR />Thanks for the help. Tue, 14 Feb 2006 15:24:44 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731347#M6060 Hong Liao_1 2006-02-14T15:24:44Z https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731348#M6061 That's good!.<BR /><BR />Please see also:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/helptips.do?#28" target="_blank">http://forums1.itrc.hp.com/service/forums/helptips.do?#28</A> Tue, 14 Feb 2006 16:03:02 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731348#M6061 Ivan Ferreira 2006-02-14T16:03:02Z https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731349#M6062 Hi all, <BR />actually I have the same problem, but don't know how to solve it:<BR />SRV2 has enhanced security installed<BR />SRV1 has no enhanced security.<BR /><BR />direct root login via ssh on SRV1 is ok<BR />direct root login via ssh on SRV2 is restricted even though sshd is set to "yes"<BR /><BR />So the question still stands, how to enable ssh root direct login without editing securettys? I believe that there is some trick with enhaned security, but can't figure it out.<BR /><BR />Any idea ?<BR /><BR />MGMCON&gt; ssh -q root@SRV1<BR />Last login: Wed Feb 15 09:09:52 CET 2006 from MGMCON<BR />...<BR /><BR />You have new mail.<BR />SRV1 :root# tail /etc/securettys<BR />...<BR /># <DEVICE name=""><BR />/dev/console<BR />local:0<BR />:0<BR />SRV1 :root#<BR />SRV1 :root# grep -i permitroot /etc/ssh2/sshd2_config<BR /> PermitRootLogin yes<BR /># PermitRootLogin nopwd<BR /><BR /><BR />MGMCON&gt; ssh -q root@SRV2<BR />Not authorized for terminal access -- see System Administrator.<BR /><BR />MGMCON&gt; ssh SRV2<BR />Authentication successful.<BR />Last successful login for aco: Wed Feb 15 09:01:49 CET 2006 from MGMCON<BR />Last unsuccessful login for aco: NEVER<BR /><BR />Compaq Tru64 UNIX V5.1A (Rev. 1885); Sat Sep 13 19:37:43 CEST 2003<BR />...<BR />No mail.<BR />$ su -<BR />Password:<BR />SRV2 :root# tail -n -3 /etc/securettys<BR />/dev/console<BR />local:0<BR />:0<BR />SRV2 :root# grep -i permitroot /etc/ssh2/sshd2_config<BR /> PermitRootLogin yes<BR /># PermitRootLogin nopwd<BR />SRV2 :root#<BR /><BR />P.S. if I put ptys in securettys on SRV2 then it works fine...<BR /><BR />Thanks,</DEVICE> Wed, 15 Feb 2006 03:24:36 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731349#M6062 Aco Blazeski 2006-02-15T03:24:36Z https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731350#M6063 An authorized user list can be created for a particular terminal. If such a list exists, your user name must appear in the list or you cannot log in at that terminal. In this case, the system displays the following message:<BR /><BR />Not authorized for terminal access--see System Administrator<BR /><BR /><BR />This is not a SSH restriction, this is an ENHANCED SECURITY restriction. Wed, 15 Feb 2006 07:40:14 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-do-i-enable-ssh-root-login-without-allowing-telnet-root/m-p/3731350#M6063 Ivan Ferreira 2006-02-15T07:40:14Z