HPE Community
Operating System - HP-UX
1834814 Members
2350 Online
110070 Solutions
New Discussion

/etc/securetty problem.

 
SOLVED
Go to solution
yank
Occasional Advisor

‎02-10-2003 01:52 AM

‎02-10-2003 01:52 AM

/etc/securetty problem.

Hi!

I try to define connection to HP712 station by user root only (there are many users defined in the station). I added file /etc/securetty and it's looks:
cat /etc/securetty
console
ttyp1
ttyp2
But, when I try login to the station (by rlogin command) form other host and by user that not a root, I succeded. What Is my error?
May be file permission?

I'll be really greatful for any advice.

Thank you.
0 Kudos
Reply
10 REPLIES 10
Clemens van Everdingen
Honored Contributor

‎02-10-2003 01:58 AM

‎02-10-2003 01:58 AM

Re: /etc/securetty problem.

Hi,

The securetty file means that user root is only allowed to login on the console and other defined tty ports.

If a user does a rlogin form another system it is of course allowed to login, since the user is defined on the workstation !

So if you will deny users login to the system, you will have to remove them from the password file.

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
Christian Gebhardt
Honored Contributor

‎02-10-2003 02:11 AM

‎02-10-2003 02:11 AM

Re: /etc/securetty problem.

Hi

to prevent login you can use a tcpwrapper, there are many postings in this forum.

Another good idea is using ssh and forbid any other access in /etc/inetd.conf

Chris
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-10-2003 02:11 AM

‎02-10-2003 02:11 AM

Re: /etc/securetty problem.

Hi,

If /etc/securitty is defined only the root is allowed to login as root from the console and from no where else.
rlogin uses the .rhosts and hosts.equiv files and not the /etc/securetty
never give up
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎02-10-2003 02:11 AM

‎02-10-2003 02:11 AM

Re: /etc/securetty problem.

Hi,

think this link will help you,

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x59d7cdec06f1d61190050090279cd0f9,00.html

Kind regards,

Robert-Jan.
0 Kudos
Reply
yank
Occasional Advisor

‎02-10-2003 02:54 AM

‎02-10-2003 02:54 AM

Re: /etc/securetty problem.

Thank you for the answers.

But, it not really helps me.
I try to explain by other way.
I have a modem, that connected to the station.
And I want, that only user root can login through the modem. So, I wanted, to do it by /etc/securetty file. As I understood, I can't do it. So what the right solution (I can't delete other users from the station), but access through the modem should be only for root.

Thank you for your time.
0 Kudos
Reply
Clemens van Everdingen
Honored Contributor

‎02-10-2003 04:12 AM

‎02-10-2003 04:12 AM

Re: /etc/securetty problem.

Hi,

I could not test this idea at the moment, but it might work !

You could try to do a chmod 600 on the device file of the tty used by the modem !?
Of course check if root is the owner in this case.

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
Frank Slootweg
Honored Contributor

‎02-10-2003 07:14 AM

‎02-10-2003 07:14 AM

Re: /etc/securetty problem.

In /etc/profile, you can test if the output of tty(1) is the tty device file of the modem. If it is, you can test if $LOGNAME is root. If so, you continue. If not you do an exit.

Be careful when testing this, because if you make an error, you can lock out everybody this way, including root. Make sure that during testing root is logged in on another terminal, so you can fix things if they go wrong.

If any user has a C-shell in /etc/passwd, you will have to make similar modifications to /etc/csh.login.
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎02-10-2003 09:20 AM

‎02-10-2003 09:20 AM

Solution

Re: /etc/securetty problem.

There are only 2 things I can think of:
1). Use a dialup password (which can be used on any tty actually). Put the device file name in /etc/dialups. Next, create a password for the shell that root uses and place this in /etc/d_passwd:
/sbin/sh:3VRzvUkI8WwSs:

This should NOT be root's password, but a separate password used just for the modem.

login: root
Password:
Dialup Password:

Does this prevent other users from logging on? No, you must create another entry for every kind of shell in the /etc/d_passwd. Obviously, don't give this password to them and they won't be able to logon. If their shell is not in this file, they just have to hit "enter" at the Dialup Password prompt to get in.

The other alternative is to use the Trusted System "restrict terminal by user" feature. Edit the /tcb/files/devassign file (v_users=root) or in SAM under Peripheral Devices, Terminal & Modems, Select Device, Action - Modify Authorized Users.

- Chris
Reply
Frank Slootweg
Honored Contributor

‎02-11-2003 12:13 AM

‎02-11-2003 12:13 AM

Re: /etc/securetty problem.

Thanks, Chris!

Forgot all about dialup passwords. They are hardly ever used in this day and age and were hardly ever used in the good old days, but are still a useful feature of UNIX/HP-UX. Thanks for the pointer.

The, very limited, documentation is in the dialups(4) ("man dialups") manual page.

[Please no (0 or N/A) points for this response.]
0 Kudos
Reply
yank
Occasional Advisor

‎02-11-2003 02:59 AM

‎02-11-2003 02:59 AM

Re: /etc/securetty problem.

Thank you very much for all supporters!

I used the Chris's solution:
/etc/d_passwd
/etc/dialups.

That works excellent!

Best regards.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.