HPE Community
Operating System - HP-UX
1752790 Members
6330 Online
108789 Solutions
New Discussion юеВ

Disable root rlogin

 
SOLVED
Go to solution
Henry Nguyen
Occasional Advisor

тАО07-12-2004 05:20 AM

тАО07-12-2004 05:20 AM

Disable root rlogin

Hello All:

Is there a way to disable rlogin for root, but allow all the r* services enable(ie. rcp, remsh...) for root. I have already set up an /etc/securetty file to force root login only from the console. I would configure the /var/adm/inetd.sec file, but this would disable rlogin for everyone. I'm only interested in disable rlogin for root. Any advice is appreciated.

Thanks,
Henry
0 Kudos
Reply
7 REPLIES 7
RAC_1
Honored Contributor

тАО07-12-2004 05:29 AM

тАО07-12-2004 05:29 AM

Solution

Re: Disable root rlogin

TCP wrappers.

Check /etc/hosts.allow and /etc/hosts.deny

Anil
There is no substitute to HARDWORK
Reply
Hai Nguyen_1
Honored Contributor

тАО07-12-2004 05:40 AM

тАО07-12-2004 05:40 AM

Re: Disable root rlogin

That's not true. With /var/adm/inetd.sec, you can specify a user ID which you want to deny a service. Man inetd.sec for an example.

Hai
0 Kudos
Reply
RAC_1
Honored Contributor

тАО07-12-2004 05:44 AM

тАО07-12-2004 05:44 AM

Re: Disable root rlogin

Henry,

There is no way, you can do that with inetd.sec. If is for rejecting/allow service to a host/network

Your only option seems to be tcp wrappers.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО07-12-2004 05:53 AM

тАО07-12-2004 05:53 AM

Re: Disable root rlogin

Hi Hai,

I have to agree w/RAC on this one.
With inetd.sec granularity can only go down to hostname/IP as well as subnet.
With tcp-wrappers you *can* go down to username - like:
username@hostname.com

Henry - I believe that's the only way you can do this short of some code in /etc/profile that will query access method as well as login name to disallow root rlogins.

tcp-wrappers cab be had here:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

highly recommended.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Hai Nguyen_1
Honored Contributor

тАО07-12-2004 07:05 AM

тАО07-12-2004 07:05 AM

Re: Disable root rlogin

Jeff and RAC,

You are both right. My bad for believing my memory with reviewing the man page. Henry, inetd.sec cannot handle this. Sorry for my mistake.

Hai
0 Kudos
Reply
Simon Wickham_6
Regular Advisor

тАО01-23-2006 08:51 PM

тАО01-23-2006 08:51 PM

Re: Disable root rlogin

Hi,

Have you checked /etc/inetd.conf and run inetd -c to pick up the changes if required. Also ensure no TCP wrappers by checking if you have a /etc/hosts.allow and /etc/hosts.deny.

It also worth checking /var/adm/inetd.sec for any entries.

Regards,
Simon
0 Kudos
Reply
Muthukumar_5
Honored Contributor

тАО01-23-2006 09:01 PM

тАО01-23-2006 09:01 PM

Re: Disable root rlogin

Yes. You can simply make in /.profile file.

/.profile

ps | grep -q 'rlogind'
if [[ $? -eq 0 ]]
then
echo "ERROR: rlogin with root account is disabled"
sleep 2
exit 1
fi

Note: remsh is like rlogin

It is working.

--
Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.