HPE Community
Operating System - HP-UX
1838240 Members
3456 Online
110125 Solutions
New Discussion

securetty

 
SOLVED
Go to solution
dongming
Frequent Advisor

‎08-17-2005 09:18 AM

‎08-17-2005 09:18 AM

securetty

hello
i try to deny remote root login. so i add console to /etc/securetty.
so root cann't login by telnet and rlogin.

but i try to login by /usr/bin/X11/xterm -display @d from exceed xstart, it still open root shell.
it use rexec.

does any one know how to configure this .(i still let other account to use rexex)

thanks

0 Kudos
Reply
13 REPLIES 13
Geoff Wild
Honored Contributor

‎08-17-2005 10:12 AM

‎08-17-2005 10:12 AM

Re: securetty

Do you have an .rhosts file?

Also see this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=123810

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Devesh Pant_1
Esteemed Contributor

‎08-17-2005 01:30 PM

‎08-17-2005 01:30 PM

Re: securetty

Dongming,
I think if you get rid of the .rhosts or check your /etc/hosts.equiv file and deny remote execution on your box this will stop.

do a man on hosts.equiv and man .rhosts for more details.

thanks
DP
0 Kudos
Reply
dongming
Frequent Advisor

‎08-19-2005 03:42 AM

‎08-19-2005 03:42 AM

Re: securetty

Thanks for response.
i test on my box, and i don't think it relate to .rhosts and host.equiv.
i remove both of these 2 file , and client (PC) can still login by root.
0 Kudos
Reply
Devender Khatana
Honored Contributor

‎08-19-2005 03:52 AM

‎08-19-2005 03:52 AM

Re: securetty

Hi,

It relates to these files only. Notice that there should be multiple .rhosts file for different users. So look for a .rhosts or hosts.equiv file in the home directory of the user.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
dongming
Frequent Advisor

‎08-19-2005 03:59 AM

‎08-19-2005 03:59 AM

Re: securetty

thanks
however, there is no .rhosts or host.equive under other user account.
if i change to rsh for xterm, it cann't login . but not for rexec.
so i have to comment the entry for rexed in /etc/inetd.conf
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎08-19-2005 04:03 AM

‎08-19-2005 04:03 AM

Solution

Re: securetty

rexecd seems like circumventing the use of securetty restrictions. I have tested on my most secure box in my data center, for which I have the root password but not use it daily, and it was a smooth sailing. pop goes the root prompt as soon as I typed the correct password.

disabling rexec is actually a good security practice. If I were you, I would disable rsh and telnet as well and require my users to get used to ssh idea.
________________________________
UNIX because I majored in cryptology...
Reply
DCE
Honored Contributor

‎08-19-2005 04:09 AM

‎08-19-2005 04:09 AM

Re: securetty

The way we resolved this issue was to customize Xstartup. Xstartup is run by anyone coming via graphical connection.

We placed a logical test in the file to see if the id logging in was root (or oracle), and if so abort the login.

The original file is in /usr/dt/config. If you customize it, place the customized version in /etc/dt/config
0 Kudos
Reply
dongming
Frequent Advisor

‎08-19-2005 04:14 AM

‎08-19-2005 04:14 AM

Re: securetty

thanks.
yes, it is good idiea to comment rsh, telnetd on /etc/inetd.conf and use ssh.
but sometime , we still use rcp.
about the Xstartup, only deny remote CDE login , not for xterm (rexec)
0 Kudos
Reply
Sameer_Nirmal
Honored Contributor

‎08-19-2005 04:17 AM

‎08-19-2005 04:17 AM

Re: securetty

Yes you are Right. You have to disable exec service in /etc/inetd.conf file.

Remember /etc/securetty is valid for tty
sessions only . It doesn't valid to exec , ssh sessions as they don't use ttys at all.

.rhost and host.equiv files are never used by rexec (but remsh does). It simply uses same authentication method as login does.

If you are using ssh and dont want to allow root login from ssh client , then set PermitRootLogin=no in /opt/ssh/etc/sshd_config file.


Reply
dongming
Frequent Advisor

‎08-19-2005 05:44 AM

‎08-19-2005 05:44 AM

Re: securetty

thanks everyone.
now it is clear.
0 Kudos
Reply
Devender Khatana
Honored Contributor

‎08-19-2005 05:54 AM

‎08-19-2005 05:54 AM

Re: securetty

What about assigning points to the responses to your posts according to their relevance.

Here are the questions for which you require to do this.

http://forums1.itrc.hp.com/service/forums/pageList.do?userId=CA1276111&listType=unassigned&forumId=1

Regards,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
dongming
Frequent Advisor

‎08-19-2005 05:58 AM

‎08-19-2005 05:58 AM

Re: securetty

i assgin the point for all answer.
thanks again
0 Kudos
Reply
Devender Khatana
Honored Contributor

‎08-19-2005 08:33 AM

‎08-19-2005 08:33 AM

Re: securetty

Hi,

The points are still not alloted for any of the response to your questions. Your profile also tell this here

http://forums1.itrc.hp.com/service/forums/publicProfile.do?userId=CA1276111&forumId=1

Regards,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.