HPE Community
Operating System - HP-UX
1825162 Members
3046 Online
109679 Solutions
New Discussion юеВ

etc/securetty

 
hmorrison
Advisor

тАО09-08-2006 04:51 AM

тАО09-08-2006 04:51 AM

etc/securetty

I was wondering if the etc/securetty file contains anything else besides the list of valid ttys for root login. Also, does it mean that if this file does not exist , root can be accessed from anywhere, providing the password is known?
0 Kudos
Reply
6 REPLIES 6
Patrick Wallek
Honored Contributor

тАО09-08-2006 04:58 AM

тАО09-08-2006 04:58 AM

Re: etc/securetty

No, the /etc/securetty file shoud NOT contain anything other than the list of tty's root can log in from.

Yes, if the file does not exist then root can log in from anywhere.
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

тАО09-08-2006 05:00 AM

тАО09-08-2006 05:00 AM

Re: etc/securetty

Hi,

All correct, with the only difference that if present, that doesnt mean root cannot access other than...
Understand it is not valid for X windows... (CDE environment)


All the best
Victor
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО09-08-2006 05:01 AM

тАО09-08-2006 05:01 AM

Re: etc/securetty

Oops -- too quick on the submit.

That is why it is recommended that the /etc/securetty file contain a single word: console

That way root can only log in directly from /dev/console, the direct attached console or a web console.

Another thing to think about though is SSH access. Unless your ssh.conf and/or sshd.conf (I can't quite remember) is configured correctly, then root can SSH from one machine to another. Have a look at the ssh.conf and sshd.conf man pages for information on how to restrict that.
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

тАО09-08-2006 05:07 AM

тАО09-08-2006 05:07 AM

Re: etc/securetty

Hmorrison,

From the login man page:

"If the /etc/securetty file is present, login security is in effect, i.e., root is allowed to log in successfully only on the ttys listed in this file. Restricted ttys are listed by device name, one per line. Valid tty names are dependent on the installation. An example is

console
tty01
ttya1
etc.

Note that this feature does not inhibit a normal user from using the su command"

Regards,

Jaime
Work hard when the need comes out.
0 Kudos
Reply
IT_2007
Honored Contributor

тАО09-08-2006 05:09 AM

тАО09-08-2006 05:09 AM

Re: etc/securetty

check sshd_config for the following line

#PermitRootLogin no

If it says uncommented and "yes" then root can login through ssh.
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

тАО09-08-2006 05:10 AM

тАО09-08-2006 05:10 AM

Re: etc/securetty

Hmorrison,

Also please do not forget to assign points to people that is taking their time to help you out.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1058052

7 points to 61 responses.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.