HPE Community
Operating System - HP-UX
1819870 Members
2544 Online
109607 Solutions
New Discussion юеВ

Disable remote root login

 
Peng Lu
Occasional Advisor

тАО11-15-2004 01:49 PM

тАО11-15-2004 01:49 PM

Disable remote root login

Hi,

I want to disable remote root login on HPUX 11i hosts. (only allow users login remotely as a normal user then su to root). I have created /etc/securetty file with the content "console". However, I can still remotely login as root through ssh2.

Is ssh handled differently or do I need to reboot after creating /etc/securetty file?

Thanks in advance.
Peng
0 Kudos
Reply
10 REPLIES 10
Bill Hassell
Honored Contributor

тАО11-15-2004 01:54 PM

тАО11-15-2004 01:54 PM

Re: Disable remote root login

Yes, ssh (older versions) do not use PAM for authentication. Download the latest version of OpenSSH from HP at software.hp.com. Alternatively, enable the parameter in your sshd_config file:

sshdPermitRootLogin no

NOTE: This should be mandatory on *ANY* system facing the open Internet. Over the last few months, many, many scripted attacks for ssh have been seen and root is one of several common logins being tested by hackers.


Bill Hassell, sysadmin
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО11-15-2004 01:57 PM

тАО11-15-2004 01:57 PM

Re: Disable remote root login

Almost forgot: the latest version of OpenSSH from HP is 3.71 and the item you need to turn on in sshd_config is:

UsePAM yes


Bill Hassell, sysadmin
0 Kudos
Reply
Peng Lu
Occasional Advisor

тАО11-15-2004 02:15 PM

тАО11-15-2004 02:15 PM

Re: Disable remote root login

Thanks Bill.

swlist shows my ssh is the following version:
"Secure_Shell A.03.71.000 HP-UX Secure Shell". And in "/opt/ssh/etc/sshd_config" file, "UsePAM" is set to "yes".

Am I looking into the wrong file?

Peng
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО11-15-2004 02:22 PM

тАО11-15-2004 02:22 PM

Re: Disable remote root login

I think I remember that /etc/securetty was hardcoded into the login program and not incorporated into PAM. You'll need to use:

PermitRootLogin no


Bill Hassell, sysadmin
0 Kudos
Reply
Peng Lu
Occasional Advisor

тАО11-15-2004 02:42 PM

тАО11-15-2004 02:42 PM

Re: Disable remote root login

Thanks again Bill.

I set "PermitRootLogin" to "no" and did a "kill -SIGHUP ". It doesn't allow me to ssh login as root. However, instead of a clear message, it still prompts for password. After I put in password, it keeps asking "password for root@:" which is a bit annoying (see below).

password for root@:
password for root@:
password for root@:
password for root@:
password for root@:
password for root@:
password for root@:

Disconnected; protocol error (Too many authentication failures for root).

As you can see, after 7 tries, it finally kicked me off.

Is this the way supposed to be?

Thanks,
Peng
0 Kudos
Reply
Ravi_8
Honored Contributor

тАО11-15-2004 04:31 PM

тАО11-15-2004 04:31 PM

Re: Disable remote root login


Hi

#echo console > /etc/securettys
#chmod 0744 /etc/securettys

no need to reboot after creating /etc/securettys file

ssh is given for security, it wouldn't allow direct root login even though /etc/securettys is not exist.
never give up
0 Kudos
Reply
Peng Lu
Occasional Advisor

тАО11-15-2004 04:51 PM

тАО11-15-2004 04:51 PM

Re: Disable remote root login

Hi Ravi,

I've already done what you said. See my previous messages.

BTW, ssh does allow you login as root if you don't change configuration.

Thanks anyway.
Peng
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО11-15-2004 11:31 PM

тАО11-15-2004 11:31 PM

Re: Disable remote root login

Yes, the ssh daemon does not give you a useful message and keeps denying access several times before closing the connection. The retry (in your case, 7) is set in the sshd_config file with PasswordGuesses. There are two schools of thought on error messages:

1. Provide the reason for authentication failure such as "root login is not allowed"

2. Use the same generic response for all authentication failures such as another request for the password.

In case #1, the sysadmin will know the reason without looking in syslog, but at the same time, provide the hacker with too many details. In case #2, the actual failure (root not allowed, username does not exist, password incorrect, etc) is not given, thus keeping the real reason away from the unauthenticated user. Most security people will choose less information for login attempts. Even Unix will not report whether you failed to type the username or failed to type the correct password, just "Login incorrect"


Bill Hassell, sysadmin
0 Kudos
Reply
Peng Lu
Occasional Advisor

тАО11-17-2004 10:24 AM

тАО11-17-2004 10:24 AM

Re: Disable remote root login

Thanks Bill.

Looking into sshd_config file, I couldn't find "PasswordGuess" parameter though. Is this something by default no there?

Peng
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО11-17-2004 01:43 PM

тАО11-17-2004 01:43 PM

Re: Disable remote root login

Ooops, sorry, that is a keyword for F-Secure's ssh2 product and not part of OpenSSH (I run both products on different servers).


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.