HPE Community
Operating System - Tru64 Unix
1752284 Members
4650 Online
108786 Solutions
New Discussion юеВ

direct ssh root login with enhanced security

 
Aco Blazeski
Regular Advisor

тАО02-19-2006 10:39 PM

тАО02-19-2006 10:39 PM

direct ssh root login with enhanced security

Hi admins,

I have server with enhanced security configured.
Also:
0. OS Version
SRV1:root# sizer -v
Compaq Tru64 UNIX V5.1A (Rev. 1885); Wed Jan 18 11:27:56 CET 2006

1. no ptys in /etc/securettys
SRV1 :root# tail /etc/securettys
...
#
/dev/console
local:0
:0
SRV1 :root#


2. ssh server configuration:

SRV1 :root# grep -i permitroot /etc/ssh2/sshd2_config
PermitRootLogin yes

3. I've set root user to be allowed login to terminal:

SRV1 :root# edauth -g -dv
console:\
:v_devs=/dev/console:v_type=terminal:chkent:
local\:0|local\:0.0:\
:v_devs=local\:0,local\:0.0:v_type=xdisplay:chkent:
\:0|\:0.0:\
:v_devs=\:0,\:0.0:v_type=xdisplay:chkent:
\:1|\:1.0:\
:v_devs=\:1,\:1.0:v_type=xdisplay:chkent:
\:0.1:\
:v_devs=\:0.1:v_type=xdisplay:chkent:
*:\
:v_type=terminal:v_users=root:chkent:
*\:*:\
:v_devs=*\:*:v_type=xdisplay:chkent:

So, if I try to login with non-root user (aco) I'm not allowed, which is ok:

MGMSRV> ssh aco@SRV1
Authentication successful.
Not authorized for terminal access -- see System Administrator.

Connection to SRV1 closed.
MGMSRV>

But with root the same result even though I have v_users=root :( :


MGMSRV> ssh root@SRV1
Authentication successful.
Not authorized for terminal access -- see System Administrator.

Connection to SRV1 closed.

It seems that the only way to do direct ssh root login is if I put ptys
in /etc/securettys. But this way telnet root login is also enabled. Am I right ?
Is there a way to enable direct ssh root login and to disable telnet root login
(without stopping telnetd).

man ttys says:

"The secure terminal database file, /etc/securettys, controls root
logins for all security levels. The file is described in the securet-
tys(4) reference page."

Help/suggestions will be appreciated

Thanks,

(yes,yes I've take a look on the http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1001507 ...)
0 Kudos
5 REPLIES 5
Ivan Ferreira
Honored Contributor

тАО02-19-2006 11:07 PM

тАО02-19-2006 11:07 PM

Re: direct ssh root login with enhanced security

I don't have that problem, and maybe is because we never do an update installation. From man ttys:

The secure terminal database file, /etc/securettys, controls root logins for all security levels. The file is described in the securettys(4) reference page.

By default, the enhanced security terminal control information is stored in database format (ttys.db). The information was formerly stored in the ttys file and is converted to database format in an update installation. The convauth utility converts an existing ttys file to database format.

The database is /etc/auth/system/ttys.db

Try using /usr/tcb/bin/dxdevices to modify the configuration.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Aco Blazeski
Regular Advisor

тАО02-20-2006 12:40 AM

тАО02-20-2006 12:40 AM

Re: direct ssh root login with enhanced security

Hi Ivan,
Thank you for fast reply.

System is clean installed (not updated).
As it can be seen from my post (edauth -g -dv) I've made changes in devassign database.
As far as I can see from man ttys in ttys.db are stored login records (last login,when,success/failure...). With dxdevices login timeout, maximum unsuccess login, and unsuccess login delay can be modified.

So I believe that the only change that can be made is in devassign database. Am I right, or I am missing something ??

Regards,
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-20-2006 01:53 AM

тАО02-20-2006 01:53 AM

Re: direct ssh root login with enhanced security

Probably, your problem is this:

*:\
:v_type=terminal:v_users=root:chkent:


On my system:

*:\
:v_type=terminal:chkent:
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-20-2006 02:07 AM

тАО02-20-2006 02:07 AM

Re: direct ssh root login with enhanced security

What is the output of:

edauth -g -dt
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Aco Blazeski
Regular Advisor

тАО02-20-2006 02:11 AM

тАО02-20-2006 02:11 AM

Re: direct ssh root login with enhanced security

Hi,
default setting is like on your system. It was not working for root, so I've put v_users=root.
With v_user=root only root can ssh to the system, but only if /etc/securettys contains "ptys".

SRV1:root# edauth -g -dt
*:\
:t_devname=*:chkent:
*\:*:\
:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:
\:0|\:0.0:\
:t_devname=\:0:t_login_timeout#0:t_xdisplay:chkent:
\:0.1:\
:t_devname=\:0.1:t_login_timeout#0:t_xdisplay:chkent:
\:1|\:1.0:\
:t_devname=\:1:t_login_timeout#0:t_xdisplay:chkent:
console:\
:t_devname=console:chkent:
local\:0|local\:0.0:\
:t_devname=local\:0:t_login_timeout#0:t_xdisplay:chkent:

Regards,
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.