[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Disallowing remote root login

Subject: RE: [cobalt-users] Disallowing remote root login
From: <rpaiz@xxxxxxxxxxxxxx>
Date: Sun Mar 25 01:31:25 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Remote root logins are disabled by default for most standard
> services that I can think of. I just verified attempted remote
> root logins with telnet, which I do not normally run, and ftp
> which I leave off when not in active use. Neither allowed a root
> login. This leaves secure shell for which for some reason, allows
> root login by default. Interesting that something designed to
> improve your security blunders about so badly on this issue.

It was precisely the sshd remote root login which was the only thing I
was still missing. You've hit the question right on the head.

> You can simply change the entry in sshd_conf for PermitRootLogin
> to no.

I should have waited for a response... :) I was just about to post a
message to the list saying I'd found the sshd_config file and noticed
the PermitRootLogin entry. :) I have now set PermitRootLogin to no, and
just by the way I also disallowed the use of SSH-1 protocol. Only SSH-2
is acceptable now.

> Completely kill all sshd processes (no, HUP won't do it); but
> keep an open telnet login active, so you can restart sshd.

I had an SSH session active, and typed the command

	service sshd restart

which said

	Shutting down SSHD service                        [OK]
	Starting SSHD service                             [OK]

and left my current session active without any interruptions. I then
started up a new session and tried to login as root... got roundly
rejected, which will make my next LogCheck mail quite colorful to read.
Logged in as myself, the su'd to root, and the whole thing worked like a
charm.

> Apologies if I have misunderstood the question,

Nope. Got it perfectly.

> I believe you need those securetty and vc entries as
> they are necessary to basic services on all logins,
> including yours.

Based on my reading and searching right now, it appears that sshd
creates a pts terminal (usually pts/0 if it's the first), and that's
what you use. The pts/0 terminal, however, does in fact use the tty1
terminal on the system if I correctly understand what I see from the ps
command.

So, as a conclusion: the securetty file does *not* need to be modified.

Thanks a lot!

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>

References:
- RE: [cobalt-users] Disallowing remote root login
  - From: Clark E. Morgan

Prev by Date: [cobalt-users] Anyone used Bastille Linux on Cobalt Raq 3?
Next by Date: [cobalt-users] FW: Enough!
Previous by thread: RE: [cobalt-users] Disallowing remote root login
Next by thread: Re: [cobalt-users] Disallowing remote root login

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index