[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Disallowing remote root login
- Subject: RE: [cobalt-users] Disallowing remote root login
- From: "Clark E. Morgan" <prlhkr@xxxxxxxxxxxxx>
- Date: Sat Mar 24 23:42:44 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Rodolfo,
> vc/[1-11]
> tty/[1-11]
>
> OK, but I'm using sshd and every time I login I'm listed as using a
> pts/[0-?] terminal. Usually 0 or 1, of course, since I should be the
> only one ever to log in directly and I rarely run more than two
> sessions.
>
> I am *guessing* that vc means "virtual console" so that I should leave
> those there, and that tty means "teletype" which is all remote terminals
> coming in over serial, network, or any means other than keyboard, so I
> should delete all those. Nevertheless, I never delete random things
> without asking first.
Remote root logins are disabled by default for most standard services that
I can think of. I just verified attempted remote root logins with telnet,
which I do not normally run, and ftp which I leave off when not in active
use. Neither allowed a root login. This leaves secure shell for which for
some reason, allows root login by default. Interesting that something
designed to improve your security blunders about so badly on this issue.
You can simply change the entry in sshd_conf for PermitRootLogin to no.
Completely kill all sshd processes (no, HUP won't do it); but keep an open
telnet login active, so you can restart sshd.
Apologies if I have misunderstood the question, or oversimplified what is
more complicated than it at first appears to be. I believe you need those
securetty and vc entries as they are necessary to basic services on all
logins, including yours.
Clark