- Community Home
- >
- Servers and Operating Systems
- >
- Legacy
- >
- Operating System - Tru64 Unix
- >
- direct ssh root login with enhanced security
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2006 10:39 PM
тАО02-19-2006 10:39 PM
direct ssh root login with enhanced security
I have server with enhanced security configured.
Also:
0. OS Version
SRV1:root# sizer -v
Compaq Tru64 UNIX V5.1A (Rev. 1885); Wed Jan 18 11:27:56 CET 2006
1. no ptys in /etc/securettys
SRV1 :root# tail /etc/securettys
...
#
/dev/console
local:0
:0
SRV1 :root#
2. ssh server configuration:
SRV1 :root# grep -i permitroot /etc/ssh2/sshd2_config
PermitRootLogin yes
3. I've set root user to be allowed login to terminal:
SRV1 :root# edauth -g -dv
console:\
:v_devs=/dev/console:v_type=terminal:chkent:
local\:0|local\:0.0:\
:v_devs=local\:0,local\:0.0:v_type=xdisplay:chkent:
\:0|\:0.0:\
:v_devs=\:0,\:0.0:v_type=xdisplay:chkent:
\:1|\:1.0:\
:v_devs=\:1,\:1.0:v_type=xdisplay:chkent:
\:0.1:\
:v_devs=\:0.1:v_type=xdisplay:chkent:
*:\
:v_type=terminal:v_users=root:chkent:
*\:*:\
:v_devs=*\:*:v_type=xdisplay:chkent:
So, if I try to login with non-root user (aco) I'm not allowed, which is ok:
MGMSRV> ssh aco@SRV1
Authentication successful.
Not authorized for terminal access -- see System Administrator.
Connection to SRV1 closed.
MGMSRV>
But with root the same result even though I have v_users=root :( :
MGMSRV> ssh root@SRV1
Authentication successful.
Not authorized for terminal access -- see System Administrator.
Connection to SRV1 closed.
It seems that the only way to do direct ssh root login is if I put ptys
in /etc/securettys. But this way telnet root login is also enabled. Am I right ?
Is there a way to enable direct ssh root login and to disable telnet root login
(without stopping telnetd).
man ttys says:
"The secure terminal database file, /etc/securettys, controls root
logins for all security levels. The file is described in the securet-
tys(4) reference page."
Help/suggestions will be appreciated
Thanks,
(yes,yes I've take a look on the http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1001507 ...)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2006 11:07 PM
тАО02-19-2006 11:07 PM
Re: direct ssh root login with enhanced security
The secure terminal database file, /etc/securettys, controls root logins for all security levels. The file is described in the securettys(4) reference page.
By default, the enhanced security terminal control information is stored in database format (ttys.db). The information was formerly stored in the ttys file and is converted to database format in an update installation. The convauth utility converts an existing ttys file to database format.
The database is /etc/auth/system/ttys.db
Try using /usr/tcb/bin/dxdevices to modify the configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2006 12:40 AM
тАО02-20-2006 12:40 AM
Re: direct ssh root login with enhanced security
Thank you for fast reply.
System is clean installed (not updated).
As it can be seen from my post (edauth -g -dv) I've made changes in devassign database.
As far as I can see from man ttys in ttys.db are stored login records (last login,when,success/failure...). With dxdevices login timeout, maximum unsuccess login, and unsuccess login delay can be modified.
So I believe that the only change that can be made is in devassign database. Am I right, or I am missing something ??
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2006 01:53 AM
тАО02-20-2006 01:53 AM
Re: direct ssh root login with enhanced security
*:\
:v_type=terminal:v_users=root:chkent:
On my system:
*:\
:v_type=terminal:chkent:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2006 02:07 AM
тАО02-20-2006 02:07 AM
Re: direct ssh root login with enhanced security
edauth -g -dt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2006 02:11 AM
тАО02-20-2006 02:11 AM
Re: direct ssh root login with enhanced security
default setting is like on your system. It was not working for root, so I've put v_users=root.
With v_user=root only root can ssh to the system, but only if /etc/securettys contains "ptys".
SRV1:root# edauth -g -dt
*:\
:t_devname=*:chkent:
*\:*:\
:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:
\:0|\:0.0:\
:t_devname=\:0:t_login_timeout#0:t_xdisplay:chkent:
\:0.1:\
:t_devname=\:0.1:t_login_timeout#0:t_xdisplay:chkent:
\:1|\:1.0:\
:t_devname=\:1:t_login_timeout#0:t_xdisplay:chkent:
console:\
:t_devname=console:chkent:
local\:0|local\:0.0:\
:t_devname=local\:0:t_login_timeout#0:t_xdisplay:chkent:
Regards,