System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

direct ssh root login with enhanced security

Aco Blazeski
Regular Advisor

direct ssh root login with enhanced security

Hi admins,

I have server with enhanced security configured.
Also:
0. OS Version
SRV1:root# sizer -v
Compaq Tru64 UNIX V5.1A (Rev. 1885); Wed Jan 18 11:27:56 CET 2006

1. no ptys in /etc/securettys
SRV1 :root# tail /etc/securettys
...
#
/dev/console
local:0
:0
SRV1 :root#


2. ssh server configuration:

SRV1 :root# grep -i permitroot /etc/ssh2/sshd2_config
PermitRootLogin yes

3. I've set root user to be allowed login to terminal:

SRV1 :root# edauth -g -dv
console:\
:v_devs=/dev/console:v_type=terminal:chkent:
local\:0|local\:0.0:\
:v_devs=local\:0,local\:0.0:v_type=xdisplay:chkent:
\:0|\:0.0:\
:v_devs=\:0,\:0.0:v_type=xdisplay:chkent:
\:1|\:1.0:\
:v_devs=\:1,\:1.0:v_type=xdisplay:chkent:
\:0.1:\
:v_devs=\:0.1:v_type=xdisplay:chkent:
*:\
:v_type=terminal:v_users=root:chkent:
*\:*:\
:v_devs=*\:*:v_type=xdisplay:chkent:

So, if I try to login with non-root user (aco) I'm not allowed, which is ok:

MGMSRV> ssh aco@SRV1
Authentication successful.
Not authorized for terminal access -- see System Administrator.

Connection to SRV1 closed.
MGMSRV>

But with root the same result even though I have v_users=root :( :


MGMSRV> ssh root@SRV1
Authentication successful.
Not authorized for terminal access -- see System Administrator.

Connection to SRV1 closed.

It seems that the only way to do direct ssh root login is if I put ptys
in /etc/securettys. But this way telnet root login is also enabled. Am I right ?
Is there a way to enable direct ssh root login and to disable telnet root login
(without stopping telnetd).

man ttys says:

"The secure terminal database file, /etc/securettys, controls root
logins for all security levels. The file is described in the securet-
tys(4) reference page."

Help/suggestions will be appreciated

Thanks,

(yes,yes I've take a look on the http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1001507 ...)
5 REPLIES
Ivan Ferreira
Honored Contributor

Re: direct ssh root login with enhanced security

I don't have that problem, and maybe is because we never do an update installation. From man ttys:

The secure terminal database file, /etc/securettys, controls root logins for all security levels. The file is described in the securettys(4) reference page.

By default, the enhanced security terminal control information is stored in database format (ttys.db). The information was formerly stored in the ttys file and is converted to database format in an update installation. The convauth utility converts an existing ttys file to database format.

The database is /etc/auth/system/ttys.db

Try using /usr/tcb/bin/dxdevices to modify the configuration.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Aco Blazeski
Regular Advisor

Re: direct ssh root login with enhanced security

Hi Ivan,
Thank you for fast reply.

System is clean installed (not updated).
As it can be seen from my post (edauth -g -dv) I've made changes in devassign database.
As far as I can see from man ttys in ttys.db are stored login records (last login,when,success/failure...). With dxdevices login timeout, maximum unsuccess login, and unsuccess login delay can be modified.

So I believe that the only change that can be made is in devassign database. Am I right, or I am missing something ??

Regards,
Ivan Ferreira
Honored Contributor

Re: direct ssh root login with enhanced security

Probably, your problem is this:

*:\
:v_type=terminal:v_users=root:chkent:


On my system:

*:\
:v_type=terminal:chkent:
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: direct ssh root login with enhanced security

What is the output of:

edauth -g -dt
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Aco Blazeski
Regular Advisor

Re: direct ssh root login with enhanced security

Hi,
default setting is like on your system. It was not working for root, so I've put v_users=root.
With v_user=root only root can ssh to the system, but only if /etc/securettys contains "ptys".

SRV1:root# edauth -g -dt
*:\
:t_devname=*:chkent:
*\:*:\
:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:
\:0|\:0.0:\
:t_devname=\:0:t_login_timeout#0:t_xdisplay:chkent:
\:0.1:\
:t_devname=\:0.1:t_login_timeout#0:t_xdisplay:chkent:
\:1|\:1.0:\
:t_devname=\:1:t_login_timeout#0:t_xdisplay:chkent:
console:\
:t_devname=console:chkent:
local\:0|local\:0.0:\
:t_devname=local\:0:t_login_timeout#0:t_xdisplay:chkent:

Regards,