I am using Exceed (Hummingbird) as my terminal emulation on several HP-UX 10.20 servers. I am still able to login as root from other terminals. I have implemented /etc/securetty and the only thing this does is to prevent root logins via telnet.
What do you have in your securetty file? Each device in the securetty file is valid for root login, so if you put in tty0, tty1, etc, those will all work.
If you only put in console, root login will be restricted only to the console.
I should have been more specific. I am having problems preventing root logins using CDE on terminals (not console). I have been able to find the solution in the IT Resource Center.
Both dtlogin and vuelogin do not refer to the /etc/securetty file after checking the login information against the /etc/passwd file. To keep root from using the workstation graphics console or xterminal when vuelogin or dtlogin are running, add the following lines to the end of either /usr/vue/config/Xstartup (in HP-UX 10.X this would be /etc/vue/config/Xstartup) or /etc/dt/config/Xstartup (copy over from /usr/dt/config if the file does not exist in /etc/dt/config) for CDE:
if [ $USER = root ] ; then exit 1 fi
This will terminate the login process if the user is logging in as root.
or for all users :
if [ "$USER" != "root" ]; then exit 1 fi
I have tested the second method and can confirm it worked with no obvious side effects.
If you want to prevent logins (including root) via remsh or rexec then don't forget to use /var/adm/inetd.sec to restrict access to shell and exec or disable the rexecd and remshd daemons in /etc/inetd.conf
Vive como si fueras a morir mañana, aprende como si fueras a vivir para siempre...
Exceed has the rexec process for logging in. It does not check the presence of the /etc/securetty file and therefore will prevent a root login from where ever.
I know of two ways. One is to turn off the rexec service on the system. Could create other problems as some backup programs use this service.
If not able to turn off rexec, write a script that will run the "who am i" command and place into cron. This output will tell you if root is logged in somewhere other than what is specified in the /etc/securetty file. The output of the command can be mailed to you and/or the other administrators to give a heads up.
I do see any reason for a user to be using the rexec process for logging in. If you are able, prevent the use of the rexec by users.
