HPE Community
Operating System - HP-UX
1835790 Members
2457 Online
110085 Solutions
New Discussion

Re: restricting direct login to root

 
Amit Manna_6
Regular Advisor

‎05-30-2004 11:06 PM

‎05-30-2004 11:06 PM

restricting direct login to root

Can anybody tell me how to
1)restrict access directly to root from tty terminals and
2)how to enable rshd or rlogind
3)how to allow root access from Console
4)How to restrict ftp access for users.


0 Kudos
Reply
10 REPLIES 10
Ashwani Kashyap
Honored Contributor

‎05-30-2004 11:17 PM

‎05-30-2004 11:17 PM

Re: restricting direct login to root

1. #echo "console" > /etc/securetty
This will only allow root access from console wonly and not from any tty terminals .

2. edit appropriate entries in /etc/inetd.conf and restart by inetd -c

3. same as 1 above .

4. http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000073094324
0 Kudos
Reply
V.Tamilvanan
Honored Contributor

‎05-30-2004 11:19 PM

‎05-30-2004 11:19 PM

Re: restricting direct login to root

Hi

1.Create a file /etc/securetty. Put the entry /dev/console. This will restrict root access from terminal and allows only from console.

2. By default rlogind is enabled.Create .rlogin files in Homedirectory and add the entries of trusted hostname and username .

See man pages of remsh.

4. Create a file called /etc/ftpd/ftpusers and add the usernames suppose to be ftp restriceted.
0 Kudos
Reply
Girish_17
Regular Advisor

‎05-30-2004 11:19 PM

‎05-30-2004 11:19 PM

Re: restricting direct login to root

Hello,
to restrict root access to tty -
create a file securetty containing a single line console
in /etc directory

for rlogin and rshd
edit /etc/inetd.conf file and un comment
login stream tcp no wait root /usr/lbin/rlogind rlogind &

shell stream tcp no wait root /usr/lbin/remshed remshed

to allow rlogin and remote execution

root access from console is by default you need not specify the same

do disable ftp comment (#) the ftp stream tcp nowait root /usr/lbin/ftpd ftpd line


Hope this solves your querries.

Regards
Girish Ransubhe

0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎05-30-2004 11:48 PM

‎05-30-2004 11:48 PM

Re: restricting direct login to root

Hi,

Pls create or edit /etc/default/security file. Her you can restrict the "su" command use. So define a group tah must have "su" privileges:
SU_ROOT_GROUP=

Then create into /etc/group file, ande define root like the unique user that can execute the "su" command:
:::root

If you need restrict access from IP's or alias point of view, the /var/adm/inetd.sec will be usefull for you. In this file you can restrict telnet (login), ftp and shell (rcp/remsh) services. For extra help use:
# man inetd.sec

The best way to control this could be the wu-ftp (Washinton University ftp)implementation in your server. Plase look for this implementation in this forum, a lot of docs will be found.

Rgds.
0 Kudos
Reply
Ravi S. Banda
Regular Advisor

‎04-22-2005 08:00 AM

‎04-22-2005 08:00 AM

Re: restricting direct login to root

Everyone,
I created /etc/securetty file, the contents of which are:
/dev/console

The problem is that I cannot even login (as root) from "Console login" prompt when I directly connect to the console. I cannot telnet to the server and login as root, which makes sense. But, I don't understand why I cannot login from the console.

I can do "su - root" and "su root" after telnet as another user, say "oracle" from the telnet client.
0 Kudos
Reply
RAC_1
Honored Contributor

‎04-22-2005 08:07 AM

‎04-22-2005 08:07 AM

Re: restricting direct login to root

Does your password has special chars like @, # and is it over 8 chars??
There is no substitute to HARDWORK
0 Kudos
Reply
Rick Garland
Honored Contributor

‎04-22-2005 08:08 AM

‎04-22-2005 08:08 AM

Re: restricting direct login to root

Instead of '/dev/console' in the securetty file, just have 'console'.

You will be able to root login from console then.

To prevent other users from becoming root after logging in, the /etc/default/security file can contain 'SU_ROOT_GROUP='.

I have created a wheel group, SU_ROOT_GROUP=wheel, and only SAs entitled to the root account are in this wheel group.

This will prevent all other users who are not in the wheel group from becoming root. This is nice because even if they know what the root passwd is, they still cannot become root because they are not in the wheel group.
0 Kudos
Reply
Ravi S. Banda
Regular Advisor

‎04-22-2005 08:09 AM

‎04-22-2005 08:09 AM

Re: restricting direct login to root

The root's password contains one integer and is 8 chars long.

Thanks!
Ravi.
0 Kudos
Reply
Ravi S. Banda
Regular Advisor

‎04-22-2005 08:13 AM

‎04-22-2005 08:13 AM

Re: restricting direct login to root

Rick Garland's response helped me. I changed from /dev/console to "console" and that fixed it.

I've a question. So, does that mean any user who would want to "su" as root would have to be a part of SU_ROOT_GROUP??

Thanks!
Ravi.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎04-22-2005 08:20 AM

‎04-22-2005 08:20 AM

Re: restricting direct login to root

Any user can su - root all they want.
Success would be only for those users who are a part of the SU_ROOT_GROUP and it is defined in the /etc/default/security file.

Example, you are in the wheel group, SU_ROOT_GROUP=wheel. You can su - root (provided you know the passwd). If you are not in the wheel group you cannot become root, even if you know the passwd.






0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.