HPE Community
Operating System - Tru64 Unix
1754218 Members
3567 Online
108812 Solutions
New Discussion юеВ

How do I enable ssh root login without allowing telnet root login

 
Hong Liao_1
New Member

тАО02-14-2006 06:32 AM

тАО02-14-2006 06:32 AM

How do I enable ssh root login without allowing telnet root login

I can add ptys entry on /etc/securettys but this allows ssh and telnet to login as root.

I also tried to set PermitRootLogin to yes on /usr/local/etc/sshd_config but I'm still not able to ssh as root. I have tried to restart sshd after changing PermitRootLogin to yes but it does not help.

Below verifies that I am using the right config file for sshd.

--> /usr/local/sbin/sshd -?
sshd: illegal option -- ?
sshd version OpenSSH_3.7.1p2
Usage: sshd [options]
Options:
-f file Configuration file (default /usr/local/etc/sshd_config)

I got the following error when connecting through ssh as root

phxwa11# ssh adtdb031n1
Not authorized for terminal access -- see System Administrator.

Connection to adtdb031n1 closed.

/var/adm/syslog.dated/current/auth.log shows the following

Feb 14 12:24:38 adtdb031n1 sshd[979747]: Accepted publickey for root from 10.40.
248.36 port 45858 ssh2
Feb 14 12:24:38 adtdb031n1 sshd[979774]: ROOT LOGIN REFUSED /dev/pts/7
Feb 14 12:24:38 adtdb031n1 sshd[979774]: fatal: Couldn't establish session for r
oot from phxwa11.firsthealth.com
0 Kudos
5 REPLIES 5
Ivan Ferreira
Honored Contributor

тАО02-14-2006 06:53 AM

тАО02-14-2006 06:53 AM

Re: How do I enable ssh root login without allowing telnet root login

Root login is not recommended either by telnet or ssh.

To disable root access by telnet, remove the ptys entry from /etc/securettys. You should also disable the telnet service from /etc/inetd.conf.

The configuration file for SSH is /etc/ssh2/sshd2_config. There is where you need to enable PermitRootLogin. As far I know, the securettys file does not have influence in root access through SSH (I don't have ptys on my system).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Hong Liao_1
New Member

тАО02-14-2006 07:24 AM

тАО02-14-2006 07:24 AM

Re: How do I enable ssh root login without allowing telnet root login

Both /usr/local/etc/sshd_config and /etc/ssh2/sshd2_config PermitRootLogin are set to Yes.

ptys is not currently added on /etc/securettys because we don't want telnet to login directly as root. We can disable telnet later by removing it entry from /etc/inetd.conf. Right now we only need to allow ssh to login as root. Currently we were able to run a command through ssh as root without any issue and ssh does not prompt for password since we configure ssh to allow root without password.

Thanks for the help.
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-14-2006 08:03 AM

тАО02-14-2006 08:03 AM

Re: How do I enable ssh root login without allowing telnet root login

That's good!.

Please see also:

http://forums1.itrc.hp.com/service/forums/helptips.do?#28
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Aco Blazeski
Regular Advisor

тАО02-14-2006 07:24 PM

тАО02-14-2006 07:24 PM

Re: How do I enable ssh root login without allowing telnet root login

Hi all,
actually I have the same problem, but don't know how to solve it:
SRV2 has enhanced security installed
SRV1 has no enhanced security.

direct root login via ssh on SRV1 is ok
direct root login via ssh on SRV2 is restricted even though sshd is set to "yes"

So the question still stands, how to enable ssh root direct login without editing securettys? I believe that there is some trick with enhaned security, but can't figure it out.

Any idea ?

MGMCON> ssh -q root@SRV1
Last login: Wed Feb 15 09:09:52 CET 2006 from MGMCON
...

You have new mail.
SRV1 :root# tail /etc/securettys
...
#
/dev/console
local:0
:0
SRV1 :root#
SRV1 :root# grep -i permitroot /etc/ssh2/sshd2_config
PermitRootLogin yes
# PermitRootLogin nopwd


MGMCON> ssh -q root@SRV2
Not authorized for terminal access -- see System Administrator.

MGMCON> ssh SRV2
Authentication successful.
Last successful login for aco: Wed Feb 15 09:01:49 CET 2006 from MGMCON
Last unsuccessful login for aco: NEVER

Compaq Tru64 UNIX V5.1A (Rev. 1885); Sat Sep 13 19:37:43 CEST 2003
...
No mail.
$ su -
Password:
SRV2 :root# tail -n -3 /etc/securettys
/dev/console
local:0
:0
SRV2 :root# grep -i permitroot /etc/ssh2/sshd2_config
PermitRootLogin yes
# PermitRootLogin nopwd
SRV2 :root#

P.S. if I put ptys in securettys on SRV2 then it works fine...

Thanks,
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-14-2006 11:40 PM

тАО02-14-2006 11:40 PM

Re: How do I enable ssh root login without allowing telnet root login

An authorized user list can be created for a particular terminal. If such a list exists, your user name must appear in the list or you cannot log in at that terminal. In this case, the system displays the following message:

Not authorized for terminal access--see System Administrator


This is not a SSH restriction, this is an ENHANCED SECURITY restriction.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.