[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Disallowing remote root login
- Subject: Re: [cobalt-users] Disallowing remote root login
- From: flash22@xxxxxxx
- Date: Sun Mar 25 00:41:51 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Sun, 25 Mar 2001 rpaiz@xxxxxxxxxxxxxx wrote:
> Hi!
>
> Long message warning, but I want to ensure that the final result of this
> (http://www.enteract.com/~lspitz/linux.html) which I highly recommend to
heh, go back and read more carefully -/ That page is based on RH 6 without
PAM,PAM has direct support for a wheel group, trying to add group
passwords manually is likely to subvert PAM..
> gpasswd -a xxxxx wheel
> gpasswd -a yyyyy wheel
> gpasswd -a zzzzz wheel
>
> to add the xxxxx, yyyyy, and zzzzz users to the group wheel, whose
> members are the only ones who should be able to su to root. I added
> three highly-trusted users in case I forget my password or my plane
> crashes (much more likely). Then I did:
So now instead of one password to guess, they get to try for any of 4 ,
you just reduced the strength to 25% ;) This is the inherent problem with
wheel groups...
>
> chgrp wheel /bin/su
> chmod 4750 /bin/su
>
> chgrp changes the permissions, and chmod restores them to what they were
> before. Now only these three users can issue the command su.
This is almost certainly going to interact badly with the GUI and
background daemons which use su ...
At a minimumm they are going to be setting group ownership wrong...
Many things in linux will get unhappy if user is unpriviladged and group
is...
> The final step is to disallow all remote root logins, which will ensure
> someone must crack *two* passwords at least to get root access (or hack
> some service like BIND, but that's another story). Anyway, one more
> layer...
but they are not root logins anymore, now they are wheel group/user logins
with root privilages ;)
>
> I believe that this is done by editing the /etc/securetty file (which is
> a text file only readable/writable by root with permissions 600).
> However, this is where I get stuck. The file includes two types of
> entries:
>
> vc/[1-11]
> tty/[1-11]
>
> OK, but I'm using sshd and every time I login I'm listed as using a
> pts/[0-?] terminal. Usually 0 or 1, of course, since I should be the
> only one ever to log in directly and I rarely run more than two
> sessions.
>
> I am *guessing* that vc means "virtual console" so that I should leave
> those there, and that tty means "teletype" which is all remote terminals
> coming in over serial, network, or any means other than keyboard, so I
> should delete all those. Nevertheless, I never delete random things
> without asking first.
vc - virtual console - eg the physical keybaord/display
tty - terminal interface to a device (eg serial or network connection)
pty - pseudo-tty looks like a tty to the program, but is really
connected to another program (eg to sshd)
trying to restrict root logins on pty's will probably cause really
interesting (bad) things to happen -/
root is already restricted by default, ssh is special, if you don't want
ssh to allow root logins tell it, it has a config line for that...
(securetty is only checked by login , telnet happens to use login also;)
...
I'm not really certain what you are trying to do here...
wheel groups are kind of a bsd thing, but bsd applications are more
aware of them, linux isn't, and the purpose of wheel groups is mostly to
allow shared administration with out giving out the same root password to
everyone, but there are weaknesses here...
stating the obvious....BSD is very different -/
gsh