Re: Restriction so that only root can login at console.

Paul Sperry · ‎06-06-2003

HP-UX 11.i patch level June 2002
untrusted(vendor requirement)

I have a security requirement to not allow any
user except root to login via the console. Of
course the other non root users will need to login
via telnet, remsh, ftp, etc.

Is this possible?

Thanks (and points) for any and all input.

Paul

Tyler Easterling · ‎06-06-2003

Paul,

I believe it can be done, but you'll have to write a custom pam module for login. This pam module would allow only root to login if the tty is console returning PAM_PERM_DENIED otherwise. If the tty is not console, then simply return PAM_SUCCESS.

Insert this new module in your /etc/pam.conf

login auth requisite /usr/lib/security/pam_YourCustomModule.so.1

just above

login auth required /usr/lib/security/libpam_unix.1

pam link:
http://www.cs.rit.edu/~hpb/Man/_Man_Solaris_2.6_html/html3/pam.3.html

Tyler

Massimo Bianchi · ‎06-06-2003

Hi,
just a couple of hints:

- write in /etc/securetty the word "console"

this way root is only allowed to login at console.

- Then, put in the .profile of each user a scirpt that do and exit if the terminal is a console. You can check this with the command "tty"

HTH,
Massimo

PIYUSH D. PATEL · ‎06-06-2003

You can use securetty. You can create a file in /etc called securetty and put and entry in there for console.

/etc/securetty
console

HTH,
Piyush

PIYUSH D. PATEL · ‎06-06-2003

Hi Paul,

For added security, the owner of that file should be root:bin and permission should be 600.

HTH,
Piyush

Darren Prior · ‎06-06-2003

I agree with Massimo's answer. Please be very careful with the securetty file - if you create it with no contents or any strange characters get written there by mistake you could end up with a system where root cannot login anywhere! Keep a window logged in as root somewhere else until you've tested the functionality. :)

If you were to trust the system you can use devassign to stop others from using the console. See man 4 devassign for more info.

regards,

Darren.

Calm down. It's only ones and zeros...

Sridhar Bhaskarla · ‎06-06-2003

Paul,

/etc/securetty is to allow root to login *only* from console. It does not mean others cannot login from the console. However, you will still need to use this file to avoid root logins through network.

You can put a small check in your /etc/profile (for sh/ksh as an example) to see if the user is not root AND the "tty' is /dev/console. If so, then exit otherwise let the user login.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Paul Sperry · ‎06-06-2003

I like Massimo's answer any ideas on the script?

if
tty = console
then
echo ???not allowed to login to console???
exit
else
continue()
if

Darren Prior · ‎06-06-2003

pretty close, I reckon this would do the trick in .profile:

if [[ $(/usr/bin/tty) = "/dev/console" && $(whoami) != "root" ]]
then
echo not allowed to login to console
exit
fi

Usual warnings apply: test carefully, remove the "exit" until you're happy with the script.

regards,

Darren.

Calm down. It's only ones and zeros...

Paul Sperry · ‎06-06-2003

Tried several profile scripts
but still no joy

Shannon Petry · ‎06-06-2003

The script will not work like stated if your using X of any sort. Console is grabbed by X, but terminals are tty's. So when you open a shell, it's never on the console.

Use /etc/securetty! It's approved, supported, and most of all proven to work.

Regards,
Shannon

Microsoft. When do you want a virus today?

Pete Randall · ‎06-06-2003

Paul,

I cut and pasted Darren's suggestion into my /etc/profile and tested it. It worked like a charm.

What shell are you using? What console (i.e. serial, or gui)?

Pete

Pete

Paul Sperry · ‎06-06-2003

my shell is ksh
the console is GUI

Sridhar Bhaskarla · ‎06-06-2003

Paul,

Darren's script should work.

Also Shannon made a good point. You will also need to modify /etc/dt/config/Xstartup script to add these checks. You will need to check if the DISPLAY has been set to the host appearing in "who -mR" output. Since you may not even want root to login through CDE logins, it is better you completely disable CDE.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Paul Sperry · ‎06-06-2003

CDE has been started
I am logging in through CDE
would like to keep CDE if possible

Pete Randall · ‎06-06-2003

Ok, then, that would explain it. Perhaps using a similar technique but with the "who am i" command (which will tell you if it's console or tty - "who am i |awk '{ print $2 }'") might be of use to you.

Pete

Pete

Paul Sperry · ‎06-06-2003

Pete

I don't see how whoami would be used

Shannon Petry · ‎06-06-2003

It does not matter that much Pete, as once the session is started you no longer are on the Console with "ANY" X application. Remember that X gets the console, under the users name. Any further shell is then a tty, meaning in order to do "anything" it's though a tty.

If the user wants CDE as their desk, more power to them. But, that means that much of what we could do to secure server with no graphics console is out the window.

There is not an easy fix for this, which is why I said use /etc/securetty. It checks the login only, so your good. Im sure in a day of playing around, you could get something to work half as? in /etc/profile, but why go through all the trouble?

Regards,
Shannon

Microsoft. When do you want a virus today?

Pete Randall · ‎06-06-2003

Paul,

I'm not absolutely sure this would work and I'm not willing to log out at the moment to do any testing, but, if you'll just execute the command "who am i |awk '{ print $2 }'", you'll see that it returns a tty number. If you'll do a "who" command, you'll see that the initial login shows "console" whereas all the other processes show a tty. My theory is that putting a test in /etc/profile, which would be invoked during the initial login, would return "console", and you could then check user for "root" and exit, just as Darren showed.

Pete

Pete

Paul Sperry · ‎06-06-2003

Ok

I put in my profile

if [[ $(who am i | awk '{print $2}') = "/dev/console" && $(whoami) != "root" ]]
then
echo not allowed to login to console
exit
fi

but it still let me login
any other thoughts?

BTW thanks for all the input so far

Sridhar Bhaskarla · ‎06-06-2003

Paul,

If I understand your requirements correctly, then you are using CDE and you do not want others to login through your workstation. If that is the case edit /etc/dt/config/Xstartup file and put the following.

HOST=$(echo $DISPLAY|awk '{FS=":";print $1}'|awk '{FS=".";print $1}')
MYHOST="Your_host" #Your_host is the hostname on which you do not want the non-root users to login

if [[ $HOST = $MYHOST && $USER != "root" ]]
then
exit 1
fi
If you don't have a Xstartup file, copy it from /usr/dt/config directory.

The above script will allow other users to login from CDE sessions on boxes other than your_host.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Dario_1 · ‎06-06-2003

Paul:

I don't know if it works but try this:

TTYCHECK=`/usr/bin/tty | cut ???d \/ -f4`
If [[ ???$TTYCHECK??? = ???console??? && $(whoami) != "root" ]]
then
echo "not allowed to login to console"
sleep 5
exit
fi

Regards,

DR

Paul Sperry · ‎06-06-2003

Sri

the command:

echo $DISPLAY|awk '{FS=":";print $1}'|awk '{FS=".";print $1}'

returns 164
which is the first octect of the servers ip address?

so

$HOST = $MYHOST will never be tru

Dario_1 · ‎06-06-2003

Paul:

I was able to try the following and it worked:

TTYCHECK=`/usr/bin/tty | cut -d \/ -f4`
if [[ "$TTYCHECK" != "console" && $(whoami) = "root" ]]
then
echo $TTYCHECK
fi

Just try my previous reply it should work for you.

Regards,

DR

Paul Sperry · ‎06-06-2003

Dario,

It works perfectly from the console/server but when I remsh from a different workstation to the server I get

Usage: cut -b List [-n] [File...]
or: cut -c List [File...]
or: cut -f List [-d Character] [-s] [File...]
${HOME:-.}/.profile[36]: If: not found
${HOME:-.}/.profile[36]: syntax error: `then' unexpected

I don't fully understand your code any ideas. I want to bunnie this issue

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Restriction so that only root can login at console.

Restriction so that only root can login at console.