cancel
Showing results for 
Search instead for 
Did you mean: 

stop root login via ilo

randy_108
Advisor

stop root login via ilo

I ran Bastille and successfully stopped root from logging in with putty. But ilo still lets root login. Any idea how to stop this?

Thanks
Randy
2 REPLIES
Ivan Krastev
Honored Contributor

Re: stop root login via ilo

Remove â /dev/ttyS1â from /etc/securetty.

regards,
ivan
Matti_Kurkela
Honored Contributor

Re: stop root login via ilo

The iLO is designed to allow the sysadmin almost the same access as when physically standing next to the machine and using the system console. When a system is running normally, iLO is not needed: it is necessary only when the system has so severe problems that normal login methods don't work, or you need to restore the operating system from backups (or even reinstall from scratch).

If you don't want to give someone the keys to your computer room, you usually don't want to give him/her an iLO password either. If you don't trust someone enough to allow him root access, you *definitely* should not give him iLO access.

Your options at this point:

1.) disable root logins from the console (both physical and iLO), and accept that if there are serious login problems, the system needs to be rebooted from the CD-ROM (or from iLO virtual media) to fix it.
This does not really improve security very much: if someone unauthorized has iLO access, he can use iLO's virtual media and remote power control functions to crash the machine and reboot it using the boot media of his own choice.

2.) disable iLO, and accept that if there are serious problems of any kind, someone must go to the computer room and diagnose and fix them there. This requires more time and effort than remote diagnostics using iLO, so your SLAs should be adjusted accordingly (either the time limits get easier, or the price goes higher).

3.) accept the fact that iLO is a "master key" for your server, and treat it accordingly. This might mean connecting all the iLOs to a separate network segment, which is accessible only through a gateway machine that requires strong authentication and logs all sessions.

MK
MK