Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restrict direct login for root

Status
Not open for further replies.
x4lewis

x4lewis

MIS
Nov 8, 2000
1
SG
My policy states that root account can only be accessed through the SU command, and that root access should only be done on the console. To do these:

I need to refuse direct root access at the console and all other ttys. I have yet try this and hope to ask if the appending "ttys=!ALL" to the /etc/security/user file works.

The rlogin/telnet is explicitly allowed in my environment, so anyone can potentially su to root. Can it be controlled? I guess it cannot. One workaround is to limit the users and so limiting the risks, by specifying sugroups=admin_group in the /etc/security/user file.

Any comments are welcomed.
 
Sort by date Sort by votes
Refuse root login at the console also? What if your system is really locked up and you have only option of logging in as root to reboot?

Safe policy is to allow root via su only for all ttys except console. ANd this is why under all UNIX there is mechanism to do this but not restrict root at console.
 
Upvote 0 Downvote
If you're using IBM AIX as your UNIX OS then just go into smit > users >change/show user type root for the username to change/show and go down the list until you see where it says "can login remotely?" and say no. This will restrict root from doing any telnet, or remote commands (rsh,rlogin,rcp etc..) You will be able to login at the console as root, no need to worry about the system locking up and not being able to get in, you can go in from the console hooked up to the server. Hope this helps.

Additionally, though a note of SECURITY caution, you could create one account with a uid of 0 same as root who can 'su' and only provide the password to sysadmins who need it, or use the sudo program.

Hope this helps
Jon Zimmer
jon.zimmer@pf.net
The software required `Windows 95 or better', so I installed Linux.

 
Upvote 0 Downvote
"create one account with a uid of 0"

Hmmmmmm -- our audit team would rip you limb from limb, and enjoy it......
Mike
michael.j.lacey@ntlworld.com
 
Upvote 0 Downvote
I'm just telling you of a suggestion I read in an AIX RS6000 system Administration manual. I didn't say I'd do it or that I did it, and I added the note of caution where security is concerned.
Jon Zimmer
jon.zimmer@pf.net
The software required `Windows 95 or better', so I installed Linux.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bhm-ibm
  • Locked
  • Question
ELK Monitoring tool for AIX
Replies
0
Views
440
bhm-ibm
bhm-ibm
amandeepgautam
  • Locked
  • Question
futex alternative for aix
Replies
0
Views
193
amandeepgautam
amandeepgautam
trifo
  • Locked
  • Question
Setting up NIM for different networks
Replies
0
Views
404
trifo
trifo
macrun95
  • Locked
  • Question
Trying to install yum for AIX
Replies
1
Views
279
w5000
w5000
Tony DBA
  • Locked
  • Question
APAR numbers for different AIX 7.1 TLs
Replies
1
Views
328
w5000
w5000

Part and Inventory Search

Sponsor

Back
Top