HPE Community
Operating System - HP-UX
1832869 Members
4511 Online
110048 Solutions
New Discussion

Re: Disallow remote root, but all ow others

 
SOLVED
Go to solution
Mike_316
Frequent Advisor

‎02-13-2002 10:25 AM

‎02-13-2002 10:25 AM

Disallow remote root, but all ow others

Hey Folks!

I would like to configure an HPUX 10.20 box to DISallow root to remotely login via rlogin or telnet, but allow other users to remotely login and then su to root.

I would also like to allow root to log in directly from a terminal attached directly to the box, but only a text terminal, not an xterminal should one ever get attached directly to the box.)

Hope this is clear and thanks in advance!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might treat each other as we should" - Dale Carnegie
0 Kudos
Reply
15 REPLIES 15
Ian Dennison_1
Honored Contributor

‎02-13-2002 10:29 AM

‎02-13-2002 10:29 AM

Re: Disallow remote root, but all ow others

Create an entry in the remote .rhosts file with the following,...

[hostname] -root

This should deny root rlogins, but allow 'su' once the user is logged in.

Share and Enjoy! Ian
Building a dumber user
0 Kudos
Reply
Mike_316
Frequent Advisor

‎02-13-2002 10:34 AM

‎02-13-2002 10:34 AM

Re: Disallow remote root, but all ow others

Fantastic! I will try it...however, can wildcards be used in the .rhosts file. I don't want ANY machine to be able to remote in as root, but don't want to have to maintain a list of all the machines on the network ON all the machines on the network (all the machines need to be set to disallow this.)

Thanks again!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might treat each other as we should" - Dale Carnegie
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎02-13-2002 10:37 AM

‎02-13-2002 10:37 AM

Solution

Re: Disallow remote root, but all ow others

create the file /etc/securetty and add the following:

console
tty1

and whatever hardwired tty's you have from which you want root access. Note that this does not prevent anyone who knows the root password from doing su from a remote login to get to root.

HTH
mark
the future will be a lot like now, only later
Reply
Sanjay_6
Honored Contributor

‎02-13-2002 10:43 AM

‎02-13-2002 10:43 AM

Re: Disallow remote root, but all ow others

Hi Mike,

you could look into inmplementing inetd.sec to disallow remote login using root user id,

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90685/B2355-90685_top.html&con=/hpux/onlinedocs/B2355-90685/00/00/10-con.html&toc=/hpux/onlinedocs/B2355-90685/00/00/10-toc.html&searchterms=inetd.sec&queryid=20020213-104557

Hope this helps.

Regds
Reply
Mike_316
Frequent Advisor

‎02-13-2002 10:46 AM

‎02-13-2002 10:46 AM

Re: Disallow remote root, but all ow others

Great! I will try that too...unfortunately, the .rhosts is not working to prevent remote login. I remember reading somewhere that the root user is exempt from that sort of control (I.E. Any OTHER username entered in the .rhosts with a minus sign will not be allowed remote login, but root is allowed even if it is seen in the .rhosts.)

Regardless the I tested it from a specificmachine by entering the following in the .rhosts file ...

-root

...and when I tried to rlogin and telnet from the it asked for the username and password and root was alloed to login remotely (without an su.)

By the way, it is GOOD that a user can su once in remotely, we just don't want people logging in as root from a remote session, we want them to have to login as a user first...THEN su to root.

Thanks!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might treat each other as we should" - Dale Carnegie
0 Kudos
Reply
Mike_316
Frequent Advisor

‎02-13-2002 10:53 AM

‎02-13-2002 10:53 AM

Re: Disallow remote root, but all ow others

Sanjay,

Thanks for the document. I had thought about the inetd.sec file, however I don;t know the syntax to disallow just root. It seems only to allow or disallow hosts, and I want users to be able to do rlogin, telnet, and remsh from all the hosts...just not root.

I am not sure how to tell it to disallow just root from all hosts.

Quite a quandry ...

Thanks!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might treat each other as we should" - Dale Carnegie
0 Kudos
Reply
Ian Dennison_1
Honored Contributor

‎02-13-2002 10:54 AM

‎02-13-2002 10:54 AM

Re: Disallow remote root, but all ow others

Mike,

My apologies, I got my wires crossed while reading the original spec. I was thinking 'remsh' and 'rlogin' without a password being prompted for.

I think this is definitely a job for a package of some description. The last site I worked at disabled root from logging in on anything but the console, but I cannot remember if that stopped rlogins.

Best of luck with the solution. Ian
Building a dumber user
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎02-13-2002 10:57 AM

‎02-13-2002 10:57 AM

Re: Disallow remote root, but all ow others

Hi Mike,

/etc/securetty is THE way to go for disallowing root login from anywhere but the console and whatever other devices you want to include. Man login gives you an example.

It is a very good practice to require login as non-superuser then su to root.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Wodisch
Honored Contributor

‎02-13-2002 03:15 PM

‎02-13-2002 03:15 PM

Re: Disallow remote root, but all ow others

Hello Mike,

if you have "dtlogin" running (i.e. CDE), then do not forget to deny "root" (or better: uid=0) in /*/dt/config/Xstartup:

...
if [ "$LOGNAME" = "root" ]
then exit 1
fi
...

where "/*/" is "/etc/" and "/usr/", of course.

HTH,
Wodisch
Reply
Mike_316
Frequent Advisor

‎02-13-2002 03:17 PM

‎02-13-2002 03:17 PM

Re: Disallow remote root, but all ow others

OK. Here's how I did it. The /etc/securetty was really the right answer. By telling the machine that the only secure terminal is the console attached to the machine, root can only directly login from there. So telnet will not allow root login (as telnet is not 'secure' according to /etc/securetty.

However, this still allowed for rlogin to work. So I used /var/adm/inetd.sec to refuse ALL rlogins by adding the line ...

login deny.

... Now NO ONE can login via an rlogin, however as remsh (rsh) are controlled by a different daemon, you can still run a remote shell, even as root.

Thanks to everytone for getting me on the right track!

Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might treat each other as we should" - Dale Carnegie
0 Kudos
Reply
Mike_316
Frequent Advisor

‎02-13-2002 04:16 PM

‎02-13-2002 04:16 PM

Re: Disallow remote root, but all ow others

Oh! Thanks for the CDE. I completely forgot.

I could not get the Xstartup file to have any effect. It did exist under /usr, but not /etc...however modifying/copying it to the specifications did not seem to have any effect on the login regardless. So, I put the script in sys.dtprofile and .dtprofile for root, and it has the desired effect.

Thanks again!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might treat each other as we should" - Dale Carnegie
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-13-2002 06:59 PM

‎02-13-2002 06:59 PM

Re: Disallow remote root, but all ow others

Hi,

>> However, this still allowed for rlogin to work. So I used /var/adm/inetd.sec to refuse ALL rlogins by adding the line ... login deny. ... Now NO ONE can login via an rlogin, however as remsh (rsh) are controlled by a different daemon, you can still run a remote shell, even as root.

If you want to block rlogin, remsh and rexec for all users, the cleaner way would be to simply comment out the following entries from /etc/inetd.conf and run inetd -c to re-read the configuration file:

Comment out these lines:

# exec
# login
# shell

Re-read configuration:

# inetd -c

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Darrell Allen
Honored Contributor

‎02-14-2002 05:44 AM

‎02-14-2002 05:44 AM

Re: Disallow remote root, but all ow others

Hi again,

Just to followup on rlogin and /etc/securetty...

rlogin disallows root login from terminals not in /etc/securetty IF root is not set up for rlogin without a password by /.rhosts or /etc/hosts.equiv.

I tend to forget that /.rhosts and hosts.equiv get around securetty because I generally don't allow rlogin (or remsh or rexec) by removing them from inetd.conf.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Alex Glennie
Honored Contributor

‎02-14-2002 05:53 AM

‎02-14-2002 05:53 AM

Re: Disallow remote root, but all ow others

To prevent root from logging in to CDE at any display:

Create /etc/dt/config/Xsession.d/0001.noroot (755 root sys) with the following contents:


#!/usr/bin/sh

if [ $USER = root ]; then
/usr/dt/bin/dterror.ds 'Root Access Denied\n
Login as a non-root user, \n
or as root through Command Line Login' 'title' 'OK'
exit 0
fi

To prevent root from logging in at remote displays (Xterminals, PC Xemmulators):

Create /etc/dt/config/Xsession.d/0001.noremoteroot (755 root sys) with the following contents:


#!/usr/bin/sh

if [ $USER = root ]; then
if [ ! "$DISPLAY" = "local_hostname:0.0" ] ; then
/usr/dt/bin/dterror.ds 'Remote Root Access Denied\n
Login as a non-root user,\n
or as root at the console' 'title' 'OK'
exit 0
fi
fi

With the second option, replace "local_hostname" with the short hostname of the 9000 in question.
Both of these options will present a user who attempts to login to CDE as root through the prevented means with a dialog box with the associated text. When the user clicks "OK", the login banner will reappear.

Note: The "title" argument is passed to dterror.ds as a required field, but in this case (displaying the pop-up during an attempted CDE login) there is no window manager running. The text given for title will therefor not been seen.





so depending upon who and where you want to prevent them login on you should be able to adapt this for all users too ?

ps you'd need to restart X for it to take effect !
Reply
Darrell Allen
Honored Contributor

‎02-14-2002 07:36 AM

‎02-14-2002 07:36 AM

Re: Disallow remote root, but all ow others

Learned something else. /etc/hosts.equiv is ignored if the local user is a superuser (man hosts.equiv)

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.