HPE Community
Operating System - HP-UX
1836617 Members
2121 Online
110102 Solutions
New Discussion

securetty file

 
Gary_178
Occasional Contributor

‎06-16-2005 02:09 AM

‎06-16-2005 02:09 AM

securetty file

Our system has a securetty file restricting root login to the console.

Thats fine, but the console is some 15 miles away from me as System Administrator. While I know I can sudo in as root, I sometimes have the need to login as root directly.

How can this be achieved when I am logging in via a windows network, and the tty address required for the securetty file is not static?
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎06-16-2005 02:18 AM

‎06-16-2005 02:18 AM

Re: securetty file

I would suggest a different console.

A Secure web console has an IP address and can be connected via a secure, java based browser.

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D803851%26qt%3D%2Bsecure%2Bweb%2Bconsole%26hit%3D1&aid=SEARCH_FORUMS&pil=1&serStr=secure+web+console&pir=1

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎06-16-2005 02:24 AM

‎06-16-2005 02:24 AM

Re: securetty file

If this were possible, it would defeat the purpose of securetty. You could create your own telnetd with a backdoor but that too would defeat the purpose. Obviously, you could add all the possible pseudotty's to the file but that seems pointless as well. It sounds as though you want securetty and don't want securetty at the same time. If this is a real issue for you, about the least evil method I can imagine is an old-fashioned modem connection. For security, you could use a dialback modem or something like the in-line lock & keys that are placed in the phone lines on each modem.
If it ain't broke, I can fix that.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎06-16-2005 02:33 AM

‎06-16-2005 02:33 AM

Re: securetty file

Hi Gary,

Unless this is an old system like a K or older then it should have a lan console port.
We set these up on a private network where we have to go to a specific server on that net & telnet to the lan console where one can login directly as root. We do *not* put these on the public net for obvious reasons.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
DCE
Honored Contributor

‎06-16-2005 02:58 AM

‎06-16-2005 02:58 AM

Re: securetty file

I have implemented several secure web consoles to address the same concern - the secure web console provides full console access from anywhere on your network and provides the security necessary for a remote connection.

Dave
0 Kudos
Reply
David Lodge
Trusted Contributor

‎06-16-2005 10:22 PM

‎06-16-2005 10:22 PM

Re: securetty file

I would avoid the SWCs like the plague (they aren't very secure and the java code is a bit dodgy).

If you require direct console acces (which is very rare - and should usually be restricted to work in single user or maintenance mode) Then get a console multiplexer (I've used Cyclades in the past). As these provide better encryption than the SWCs (through an SSH tunnel) and work neatly.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.