HPE Community
Operating System - HP-UX
1847442 Members
2710 Online
110265 Solutions
New Discussion

/etc/securetty file

 
SOLVED
Go to solution
Jerry L. Sims
Frequent Advisor

‎03-02-2004 10:21 AM

‎03-02-2004 10:21 AM

/etc/securetty file

Hello Gang,

I attempted to prevent people from accessing
the system w/ ('root' ID) remotely. I thought I could control this with the `securetty` file ? but it does not work. I also viewed the
'/var/adm/inetd.sec`, but found no help there.
Please advised. Thanks.

# ll /etc/securetty
-rw-r--r-- 1 root sys 8 Jan 29 15:12 /etc/securetty

cat /etc/securetty
console
0 Kudos
Reply
10 REPLIES 10
Rodney Hills
Honored Contributor

‎03-02-2004 10:23 AM

‎03-02-2004 10:23 AM

Solution

Re: /etc/securetty file

Your setup looks correct.

Are the remote people using rlogin or ssh?

Only those users that actually run "login" will be prevented (ie telnet).

HTH

-- Rod Hills
There be dragons...
Reply
Jerry L. Sims
Frequent Advisor

‎03-02-2004 10:27 AM

‎03-02-2004 10:27 AM

Re: /etc/securetty file

Yes, they are using "ssh".
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-02-2004 10:28 AM

‎03-02-2004 10:28 AM

Re: /etc/securetty file

Hi,

I believe you checked for any ghost characters in /etc/securetty file. It should work.

Are you saying "root" is able to login directly with telnet|rlogin even with this file?

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Rodney Hills
Honored Contributor

‎03-02-2004 10:30 AM

‎03-02-2004 10:30 AM

Re: /etc/securetty file

If you don't want people using "ssh" as root from another system,then you can remove the access for "root" on that machine.

Folder .ssh on home directory of "root" has the files that allows people to ssh in.

-- Rod Hills
There be dragons...
Reply
Jerry L. Sims
Frequent Advisor

‎03-02-2004 10:32 AM

‎03-02-2004 10:32 AM

Re: /etc/securetty file

Hello Sri,

The /etc/inetd.conf has:
telnet
rlogin
login
rexec
and so on commented out.

Only "ssh & ftp" are allowed.
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎03-02-2004 10:33 AM

‎03-02-2004 10:33 AM

Re: /etc/securetty file

SSH doesn't look at the /etc/securetty file.

You need to modify your sshd_config file so that the line with PermitRootLogin is uncommented and is set to "no".

Then restart your sshd daemon.
Remember, wherever you go, there you are...
Reply
Seth Parker
Trusted Contributor

‎03-02-2004 01:42 PM

‎03-02-2004 01:42 PM

Re: /etc/securetty file

Are you using the /etc/ftpd/ftpusers file? If not, you can restrict root from using FTP by adding root to ftpusers. The file does the opposite of what it seems like it would do: any user listed in the file is denied access.

All you'd have to do is "echo root>/etc/ftpd/ftpusers" and root should be denied access immediately. The ownership of the file should be "bin:bin" and the permissions 664.

Check out the man page for ftpusers for a little more info.

Regards,
Seth
0 Kudos
Reply
Igor Sovin
Super Advisor

‎03-02-2004 09:32 PM

‎03-02-2004 09:32 PM

Re: /etc/securetty file

Hi!
file /etc/securetty must contain:

console
/dev/console

then remote access as root would be disabled

0 Kudos
Reply
Mobeen_1
Esteemed Contributor

‎03-02-2004 09:37 PM

‎03-02-2004 09:37 PM

Re: /etc/securetty file

Jerry,
If you have SSH implemented on your systems then you need to set permitrootlogin to NO in the ssh config file.

If you don't have SSH implemented then look at making changes to inetd.conf file

rgds
Mobeen
Reply
Jerry L. Sims
Frequent Advisor

‎03-03-2004 04:15 AM

‎03-03-2004 04:15 AM

Re: /etc/securetty file

Thanks Jim D.

The "PermitRoot" modification in "sshd_config" works. Thanks....... :>)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.