Re: block telnet for root only ..

someone_4 · ‎02-07-2002

Hi ..
I am trying to block telnet for root only. But I have another user with an id of 0 that needs to be able to telnet. I did /etc/securetty but that blocks everything with the uid of 0. Is there another only the user name of root form telnet?

Richard

Michael Tully · ‎02-07-2002

Hi Richard,

You could try to set up a evaluation
of the user in the /etc/profile that
screens each user.

-Michael

Anyone for a Mutiny ?

Patrick Wallek · ‎02-07-2002

Create a file called /etc/securetty and put the word 'console' (without the ' marks) in it and root will only be able to log in from the console. I don't think this will effect your other uid 0 user, but it might. Try it and see what happens.

# cat /etc/securetty
console

someone_4 · ‎02-07-2002

I got this form another questoin on the forum but it was a bit too much.

if [ $LOGNAME = 'badUser' ]
then
exit 1
fi

Richard

someone_4 · ‎02-07-2002

hi
yes
/etc/securetty
blocks all uids of 0.

Richard

S.K. Chan · ‎02-07-2002

Use $LOGNAME to validate (if you want to go the /etc/profile route).

Michael Tully · ‎02-07-2002

Hi Richard,

I should have thought of this before. I hope that this works.

Create /etc/nologin

Modify your /etc/profile with

if [ -f /etc/nologin && ${LOGNAME} != "root" ]
then
echo "Not allowed to login as UID 0"
exit 1
fi

This way you don't need to modify anything else on your system, if you want to get rid of it just remove the /etc/nologin file

HTH
-Michael

Anyone for a Mutiny ?

someone_4 · ‎02-07-2002

how can i let console login for root only?

richard

James R. Ferguson · ‎02-07-2002

Hi Richard:

Any account with a uid=0 *is* "root". It would seem that your trying to close the barn door after the horses have gotten out!

Regards!

...JRF...

Patrick Wallek · ‎02-07-2002

This may seem like a silly suggestion but, why not have the pserson with the other uid 0 id telnet in with a normal, ie non uid 0, id and then su to root?

That way you can use securetty and still get access.

Michael Tully · ‎02-07-2002

Hi Richard,

One further thing... Why not have everything
but the console still locked down with /etc/securetty
and....set up sudo, so that you can control what user uses what. I'm not sure of the reasoning as to why you want a second account using the uid of 0.

-Michael

Anyone for a Mutiny ?

Bill Hassell · ‎02-07-2002

Just a note abnout security and stability: multiple UID 0 users is a really bad idea. The alternate root user(s) will make a mistake sometime as an ordinary user. Root's capability is far too powerful to use as a casual login. If the user(s) leaves the company and you remove all the files owned by this user...goodbye computer.

Instead, assign root privileges explcitly by usinge SAM -r (restricted SAM) or by getting a copy of sudo.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: block telnet for root only ..

block telnet for root only ..