HPE Community
Operating System - HP-UX
1834639 Members
2650 Online
110069 Solutions
New Discussion

Directly login deny

 
Manuel_8
Advisor

‎08-13-2002 06:22 AM

‎08-13-2002 06:22 AM

Directly login deny

Hello guys,
I want thet the root user can't log directly on the system, but only whit su - root command.

Please help me

Thanks

0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

‎08-13-2002 06:26 AM

‎08-13-2002 06:26 AM

Re: Directly login deny

Hi,

Create /etc/securetty file with "console" in
it. It will allow root to login from console only. Others have to login as themselves and then su to root.

#cat /etc/securetty
console

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎08-13-2002 06:26 AM

‎08-13-2002 06:26 AM

Re: Directly login deny

Hi Manuel,

Create the following file
/etc/securetty
containing only the word
console

This prevents root from logging in from anywhere except the console.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎08-13-2002 06:27 AM

‎08-13-2002 06:27 AM

Re: Directly login deny

Hi!

Just create a file /etc/securetty containing the line "console". See login(1) man page.

Please note that not all services respect this feature! E.g. ftp needs to be denied for root also. Same for rexec. Otherwise one could e.g. use ftp as root to remove the /etc/securetty file.

Regards...
Dietmar
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎08-13-2002 06:27 AM

‎08-13-2002 06:27 AM

Re: Directly login deny

Hi Manuel:

Create a file titled '/etc/securetty'. When present, root is allowed to log in only on the devices listed in the file. Enties are the device tty name, one per line.

In your case, specify "console" so that root can login at the console device, but no where else unless an 'su' operation is performed to root.

Regards!

...JRF...
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎08-13-2002 06:29 AM

‎08-13-2002 06:29 AM

Re: Directly login deny

YOu can do this by creating the file /etc/securetty with the word
console
in it. The file should have permission 600 (root:bin). That will disable direct root login from any tty port EXCEPT at the console.
0 Kudos
Reply
Sajid_1
Honored Contributor

‎08-13-2002 06:31 AM

‎08-13-2002 06:31 AM

Re: Directly login deny

This can't be done totally. But you can restrict the root direct login to specific ttys (for eg: console). For doing this, edit the /etc/securetty file and add the 'tty' entries there and the root login can only be done from there. But you can do a 'su' from all terminal sessions.
learn unix ..
0 Kudos
Reply
Chris Wilshaw
Honored Contributor

‎08-13-2002 06:31 AM

‎08-13-2002 06:31 AM

Re: Directly login deny

If you wish to prevent root from logging in on the console too, rather than having console in /etc/securetty, you can just create a blank file. Then root is only usable via su.

> /etc/securetty

ll /etc/securetty
-r--r--r-- 1 root sys 0 Aug 13 15:31 /etc/securetty
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎08-13-2002 06:56 AM

‎08-13-2002 06:56 AM

Re: Directly login deny

Manuel


What we do is to add the following lines in the /etc/profile


loginid=`who am i | awk '{print $1}'`


echo $loginid
if [ $loginid = root ]
then
exit
fi

this will make you just su to root


Manoj Srivastava
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.