HPE Community
Operating System - HP-UX
1834454 Members
2402 Online
110067 Solutions
New Discussion

help with securetty

 
SOLVED
Go to solution
Marie-Josee Cormier
Advisor

‎02-14-2007 04:33 AM

‎02-14-2007 04:33 AM

help with securetty

We want to set up securetty to force admins to log with their respective accounts, and then SU to root.

The thing that I don't like, it's with those rp2470, there's no Vga cards, and no console.

Is there a way to simulate a console with those server? Or some work around?

Thanks!
0 Kudos
Reply
9 REPLIES 9
Duncan Edmonstone
HPE Pro

‎02-14-2007 04:57 AM

‎02-14-2007 04:57 AM

Re: help with securetty

Hi,

The rp2470 surely does have a console. See the following link:

http://docs.hp.com/en/rp24xx_basic_cable-en/ch01s04.html#d0e278

If you mean it doesn't have a LAN based console, then yours may not, but as you can see on the link above, you can get a secure web console which will function in the same way.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Steven E. Protter
Exalted Contributor

‎02-14-2007 05:01 AM

‎02-14-2007 05:01 AM

Re: help with securetty

Shalom,

This system should also have a lan console, which is a RJ45 connector marked as LAN Console.

It can be configured on a network.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Bill Hassell
Honored Contributor

‎02-14-2007 06:50 AM

‎02-14-2007 06:50 AM

Re: help with securetty

All rp-24xx models have two console connections, a serial port for a classic terminal, and a LAN-based console port which is separate from the system LAN port. If you are thinking PC-style or Linux-GUI, there indeed is no VGA or mouse or keyboard nor are they needed. HP-UX, like most commercial Unix flavors, is managed with a command line interface program called a shell. While you can run X11 programs like xterm on HP-UX, the best way is to use a real terminal, or better yet, a secure terminal concentrator (not to be confused with a KVM switch), or by using telnet to the rp's service processor called the GSP. For security, the GSP LAN port should be on a restricted network.

Like any Unix flavor, the console is a low-usage yet critical tool and should be protected but always available when needed. You may want to look at sudo rather than su as a more secure and reliable method to allocate administrator duties. Get sudo from HP at:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

Select sudo from the Internet Express bundle.


Bill Hassell, sysadmin
Reply
Marie-Josee Cormier
Advisor

‎02-14-2007 07:24 AM

‎02-14-2007 07:24 AM

Re: help with securetty

Ah right! : )

The remote console is running.

Now, what do I have to put in the securetty file to allow only login from the Remote Console?

Thanksss! :D:D
0 Kudos
Reply
Christian Tremblay
Trusted Contributor

‎02-14-2007 07:46 AM

‎02-14-2007 07:46 AM

Re: help with securetty

one word: console

Chris
0 Kudos
Reply
Christian Tremblay
Trusted Contributor

‎02-14-2007 07:49 AM

‎02-14-2007 07:49 AM

Re: help with securetty

PS: the tzupdater tool for Java 1.3 is now available at:

http://www.hp.com/products1/unix/java/DST-US.html

Chris
0 Kudos
Reply
Marie-Josee Cormier
Advisor

‎02-15-2007 12:25 AM

‎02-15-2007 12:25 AM

Re: help with securetty

Yeah, I had it right for the securetty, it was not the problem after all..

I found out that when we have the char "@" in our password, we can't login straight to root. After I changed my password to something without @, works like a charm..

Is this normal behavior?

Thanks again
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎02-15-2007 01:29 AM

‎02-15-2007 01:29 AM

Solution

Re: help with securetty

> I found out that when we have the char "@" in our password, we can't login straight to root. After I changed my password to something without @, works like a charm..
> Is this normal behavior?

Very normal. The default settings for a terminal connection is @=cancel line, and #=backspace. This was inherited from the days of teletypewriters (the 'tty' you see throughout Unix communications). The TTY is a paper device so backspacing is not really meaningful, so the # was adopted as the 'previous character delete' or backspace. The @ was virtually unused so it became the line cancel. After you login, there are several stty commands in /etc/profile to set these conditions to other characters (stty erase "^H" kill "^U")

For the first 15 years or so for HP-UX, there was no way to change the defaults prior to login. But starting with patches for 10.20, a new device file now exists that changes the default: /dev/ttyconf. If your system has this devicefile, then you can change the default (see man stty). To set the more standard values:

stty erase "^H" kill "^U" < /dev/ttyconf

The change immediately affects all new logins except the console. This is because the console is opened almost all the time. You can set the ttyconf params in inittab so it will be effective for the console and all other ports at bootup. Modify the "stty" line in inittab from:

stty::sysinit:/sbin/stty 9600 clocal icanon echo opost onlcr ixon icrnl ignpar
to:

stty::sysinit:/sbin/stty 9600 erase "^H" kill "^U" clocal icanon echo opost onlcr ixon icrnl ignpar


Bill Hassell, sysadmin
Reply
Marie-Josee Cormier
Advisor

‎02-15-2007 02:00 AM

‎02-15-2007 02:00 AM

Re: help with securetty

yay!! : ) THanks
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.