Operating System - HP-UX
1832510 Members
4622 Online
110043 Solutions
New Discussion

ServiceGuard and denying Root-Login through /etc/securetty

 
SOLVED
Go to solution
Oliver Charni
Trusted Contributor

ServiceGuard and denying Root-Login through /etc/securetty

Got a rather basic question regarding the use of /etc/securetty to deny root-Logins in Combination with ServiceGuard Cluster.
We have a 6 Node Cluster that still uses rlogin/rsc/rexec at the moment.
Thing one is that we want to change this to SSH. I understand this is done by setting Parameters in the Clusterconfig and restarting the Cluster.
Thing two is that we want do disable root-Logins by putting console in /etc/securetty.

Question is, will putting console in /etc/securetty affect the Cluster Funcionality once we changed it to SSH ? Im not entirely familir to how the Cluster uses Remote-Logins thus the Question here.
if it smell's funny on the outside, it's worse on the inside
5 REPLIES 5
Steven E. Protter
Exalted Contributor

Re: ServiceGuard and denying Root-Login through /etc/securetty

Shalom Oliver,

SG has a nodelist function that replaces rsh for access. As far as I knew SG did not depend on ssh.

For ssh you could exchange public keys and that would probably help with remote login issues. Exchanging public keys is better than changing securetty in this situation.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
RAC_1
Honored Contributor
Solution

Re: ServiceGuard and denying Root-Login through /etc/securetty

What version of SG?? with latest versions of SG, you need .rhosts/cmclnodelist files only at the time of forming a cluster. Later, you can configure access policies in packages/cluster config files.

It has nothing to do with /etc/securetty, and also you can not use ssh.
There is no substitute to HARDWORK
rariasn
Honored Contributor

Re: ServiceGuard and denying Root-Login through /etc/securetty

Hi Oliver;

My /etc/securetty:

console

In cluster_configuration_file:

USER_NAME user_operator
USER_HOST CLUSTER_MEMBER_NODE
USER_ROLE pkg_admin

I not defined root user, and all ok.


for remote root commands, I use "ssh"

ran
Oliver Charni
Trusted Contributor

Re: ServiceGuard and denying Root-Login through /etc/securetty

SG Version is 11.14.
I can only remember from installing one SG Cluster a while back that it needed the .rhosts Entries but i wasnt really sure how the Cluster uses that during normal Operations.

Ive looked through the ServiceGuard Security Files Document now and the Access Policies are described there. Basically on a User and Host Basis.

In any Case i still need to put console in /etc/securetty. Thing is the somewhat weird requirements for those systems as R-Services and Telnet need to be active and we just wanna make sure that root cannot login through those. The only concern was that the Cluster might not work properly once we make the changes.
if it smell's funny on the outside, it's worse on the inside
rariasn
Honored Contributor

Re: ServiceGuard and denying Root-Login through /etc/securetty

# ll /etc/cmcluster/cmclnodelist
-rw-r----- 1 root sys 410 Oct 4 2004 cmclnodelist

# cat /etc/cmcluster/cmclnodelist

node1 root
node2 root
...
node1 operator_user
node2 operador_user

Copy file "cmclnodelist" to node1 and node2

ran