Re: Direct Root Login

Pauline Patricia · ‎02-23-2010

Hi,

Please tell me the steps to enable direct root login access in HP Unix 11i v3.

I have made the parameter PermitRootLogin yes in /etc/opt/ssh/sshd_config file.

Have restarted the sshd also.. But still am unable to login directly with root.

Could you please help me.

Many Thanks!
Pauline

Jupinder Bedi · ‎02-23-2010

see your /etc/securetty file . if this file exists do followuing steps

cat /etc/securetty

and see if thrd "console" is there in the file . if yes than comment out that console but this is not recommended due to security reasons because root can only login from the console. os the best practice is

login as a simple user and do su to root.

All things excellent are as difficult as they are rare

Sachin Kumbla · ‎02-23-2010

Hi

Kindly send the o/p of ps -ef |grep -i ssh command.

Horia Chirculescu · ‎02-23-2010

Hello, Patricia

You should check your log files in order to find more informations about this issue.

Check /var/adm/syslog/syslog.conf)

Horia.

Best regards from Romania,
Horia.

Pauline Patricia · ‎02-23-2010

Hi,

/etc/securetty file is not available in my server.

Here is the o/p of ps -ef |grep sshd

wfapp:root-/>ps -ef |grep sshd
root 8623 1 0 Feb 22 ? 0:00 sshd: dr199476 [priv]
dr199480 14567 14565 0 18:43:25 ? 0:00 sshd: dr199480@pts/6
root 14565 8876 0 18:43:20 ? 0:00 sshd: dr199480 [priv]
root 8876 1 0 Feb 22 ? 0:00 /opt/ssh/sbin/sshd
root 14609 14581 0 18:44:16 pts/6 0:00 grep sshd
dr199476 8625 8623 0 Feb 22 ? 0:00 sshd: dr199476@pts/5
wfapp:root-/>

Sachin Kumbla · ‎02-23-2010

Hi

you need to change the parameter

PermitRootLogin yes in the following file

/opt/ssh/etc/sshd_config.

& then restart the daemon.

Rgds.,
Sachin Kumbla

Pauline Patricia · ‎02-23-2010

Hi,

As I mentioned earlier I have done changes in sshd_config file as well restarted the sshd daemon.

Dear Horia,

I could not find any file syslog.conf under /var/adm/syslog/ directory.

This server is hardened with Bastille Hardening Tool.

Horia Chirculescu · ‎02-23-2010

>I could not find any file syslog.conf under /var/adm/syslog/ directory.

Check /etc/syslog.conf in order to find out where the syslogd daemon writes the logs.

Horia.

Best regards from Romania,
Horia.

Horia Chirculescu · ‎02-23-2010

>This server is hardened with Bastille Hardening Tool.

Bastille does not have any customization to disallow root logins from remote? You should check this.

Horia.

Best regards from Romania,
Horia.

Johnson Punniyalingam · ‎02-23-2010

Please Check "below" from my server sshd_config
try placing # in all Permit from ssh config file.

# grep -i Permit /opt/ssh/etc/sshd_config
#PermitRootLogin forced-commands-only
#PermitEmptyPasswords no
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
#PermitUserEnvironment no
#PermitTunnel no

HTH,
Johnson

Problems are common to all, but attitude makes the difference

Pauline Patricia · ‎02-23-2010

I could not find any parameter in bastille configuration file that is disallowing root login.

Hoping that bastille configuration does not come into picture.

Since this server is running HP 11i v3, is there any other changes need to be done??

Patrick Wallek · ‎02-23-2010

>> But still am unable to login directly with root.

What happens when you attempt to login as root? What command do you run? What error do you get? Commands run and actual errors received would be a very big help in trying to solve this.

Horia Chirculescu · ‎02-23-2010

Pauline, please read the paragraph below. I have extracted from:

http://docs.hp.com/en/B2355-90950/apbs01.html

"Q: Should Bastille disallow root logins from network tty's? [N] [N]

Level: Account Security

Bastille can restrict root from logging into a tty over the network.
This will force administrators to log in first as a non-root user, then
su to become root. Root logins will still be permitted on the console and
through services that do not use tty's ( e.g. HP-UX Secure Shell ).

This can stop an attacker who has only been able to steal the root password
from logging in directly to a tty. The attacker has to steal a second account's
password to make use of the root password via the network, or gain access to a
non-tty login mechanism.

MAKE SURE that you can login using a non-root account before you do this,
or you will obviously need access to the console or a non-tty remote login
mechanism, e.g. Secure Shell, to login."

Horia.

Best regards from Romania,
Horia.

Pauline Patricia · ‎02-23-2010

Dear Patrick,

Am just trying to login to my server via ssh through putty with root login.

Its just giving "Access Denied".

Dear Horiam

I checked this parameter in bastille configuration file.

# Q: Should Bastille disallow root logins from network TTYs? [N]
AccountSecurity.create_securetty="N"

Its not enabled..

Horia Chirculescu · ‎02-23-2010

There i sone way to actually clarify this for good:

Just enable telnet (if not allready enabled) on the server and try to actually telnet into this server from a remote location.

Also, you should try to find out if

ssh localhost

is working on the server (in order to find out if you have a global issue or only a network related problem).

Horia.

Best regards from Romania,
Horia.

Pauline Patricia · ‎02-23-2010

I enabled telnet. Tried to login with root via telnet ..but giving access denied.

I tried to ssh localhost...Prompted for root password.. after giving the password it says "Permission denied, please try again.
"

Horia Chirculescu · ‎02-23-2010

If you can login as a non-root user, then your problem is with security settings. Maybe Bastille is not working as expected or you have missed some settings.

Horia.

Best regards from Romania,
Horia.

Horia Chirculescu · ‎02-23-2010

Do you have the file:

/etc/securetty

Which is his content?

cat /etc/securetty

Horia.

Best regards from Romania,
Horia.

Pauline Patricia · ‎02-23-2010

No.. /etc/securetty is not available..

shanmuhanandam · ‎02-25-2010

Hi,
login to the console and check #ssh 0 or #telnet 0. if it is not working then revert back the bastille and try it...

Thanks,
Shanmugam.B

I am an HPE Employee

Azaru · ‎03-04-2010

Hi,

Though I made PermitRootLogin yes in sshd_config file..I missed to do a proper restart of ssh.

#/sbin/init.d/secsh stop
#/sbin/init.d/secsh start

I used to kill the sshd process and restart /opt/ssh/sbin/sshd which actually didnt work.

Pauline Patricia · ‎03-04-2010

Issue has resolved.

Patrick Wallek · ‎03-04-2010

How? What resolved the problem?