Operating System - HP-UX
1839246 Members
2252 Online
110137 Solutions
New Discussion

Re: Allow login from Console only

 
Juliana Lee
Occasional Advisor

Allow login from Console only

Hello

I followed the following instruction:

# echo console >> /etc/securetty
# chmod 600 /etc/securetty

I couldn't telnet as root but could login as a normal user and "su" as root, however, I am still able to login as root from other terminal. What can I do to disable this?
5 REPLIES 5
Patrick Wallek
Honored Contributor

Re: Allow login from Console only

Here is an ll of my /etc/securetty file:

-r-sr-xr-x 1 root sys 8 Mar 11 1996 /etc/securetty

I don't know if this will make a difference or not, but it's worth a shot.
Dan Hetzel
Honored Contributor

Re: Allow login from Console only

Hi Juliana,

Make sure your /etc/securetty has one single line.

# echo console > /etc/securetty
# chown root:sys /etc/securetty
# chmod 644 /etc/securetty

This should prevent root logins from all terminals but the system console

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
Dan Hetzel
Honored Contributor

Re: Allow login from Console only

Hi Patrick,

I don't really understand the permissions of your /etc/securetty file.
It shouldn't be marked for execution and surely not SUID....

On all servers we have here it's set to
-rw-r--r-- root sys ........

All the best,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
Juliana Lee
Occasional Advisor

Re: Allow login from Console only

Thanks Guys, I did both of your suggestions

# ll /etc/securetty
-r-Sr-xr-x 1 root sys 8 Jan 25 10:49 /etc/securetty
# cat /etc/securetty
console

# chmod 644 /etc/securetty
# ll /etc/securetty
-rw-r--r-- 1 root sys 8 Jan 25 10:49 /etc/securetty

login and out again, I still can login as root.
I wonder if there is something to do with the dtterm! It seems that the file is not being read.
Dan Hetzel
Honored Contributor

Re: Allow login from Console only

Hi Juliana,

Are you using OpenSSH ?

In that case, set "PermitRootLogin no" in your sshd_config file and restart the SSH daemon.

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com