1833876 Members
1753 Online
110063 Solutions
New Discussion

securetty file

 
Gary_178
Occasional Contributor

securetty file

Our system has a securetty file restricting root login to the console.

Thats fine, but the console is some 15 miles away from me as System Administrator. While I know I can sudo in as root, I sometimes have the need to login as root directly.

How can this be achieved when I am logging in via a windows network, and the tty address required for the securetty file is not static?
5 REPLIES 5
Steven E. Protter
Exalted Contributor

Re: securetty file

I would suggest a different console.

A Secure web console has an IP address and can be connected via a secure, java based browser.

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D803851%26qt%3D%2Bsecure%2Bweb%2Bconsole%26hit%3D1&aid=SEARCH_FORUMS&pil=1&serStr=secure+web+console&pir=1

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
A. Clay Stephenson
Acclaimed Contributor

Re: securetty file

If this were possible, it would defeat the purpose of securetty. You could create your own telnetd with a backdoor but that too would defeat the purpose. Obviously, you could add all the possible pseudotty's to the file but that seems pointless as well. It sounds as though you want securetty and don't want securetty at the same time. If this is a real issue for you, about the least evil method I can imagine is an old-fashioned modem connection. For security, you could use a dialback modem or something like the in-line lock & keys that are placed in the phone lines on each modem.
If it ain't broke, I can fix that.
Jeff Schussele
Honored Contributor

Re: securetty file

Hi Gary,

Unless this is an old system like a K or older then it should have a lan console port.
We set these up on a private network where we have to go to a specific server on that net & telnet to the lan console where one can login directly as root. We do *not* put these on the public net for obvious reasons.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
DCE
Honored Contributor

Re: securetty file

I have implemented several secure web consoles to address the same concern - the secure web console provides full console access from anywhere on your network and provides the security necessary for a remote connection.

Dave
David Lodge
Trusted Contributor

Re: securetty file

I would avoid the SWCs like the plague (they aren't very secure and the java code is a bit dodgy).

If you require direct console acces (which is very rare - and should usually be restricted to work in single user or maintenance mode) Then get a console multiplexer (I've used Cyclades in the past). As these provide better encryption than the SWCs (through an SSH tunnel) and work neatly.