Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

preventing root login on telnet or modem sessions

2 views
Skip to first unread message

John Galt

unread,
Oct 25, 2002, 9:28:35 AM10/25/02
to
Is there a way to prevent authorized users from logging in directly as
root on telnet sessions or dialup sessions? I'd like to force the user
to log in with their own account, then su to root. System is SCO Open
Server 5.0.6.

Thanks.

Tom Parsons

unread,
Oct 25, 2002, 9:45:31 AM10/25/02
to sco...@xenitec.on.ca
John Galt enscribed:

man login tells you to put the following line in /etc/default/login
to restrict root logins to the first console multi-screen

CONSOLE=/dev/tty01
--
==========================================================================
Tom Parsons t...@tegan.com
==========================================================================

Fabio Giannotti

unread,
Oct 25, 2002, 9:51:06 AM10/25/02
to Scomsc (E-mail)


You can edit /etc/default/boot and add a line similar to the following:

CONSOLE=/dev/tty01

This will restrict root to only be allowed to log in on the first screen of
the main console. (su-ing will work from anywhere.)

Fabio

Tony Lawrence

unread,
Oct 25, 2002, 10:07:50 AM10/25/02
to


man login
or http://stage.caldera.com/cgi-bin/ssl_getmanpage?login+M+OS5+login

It's the CONSOLE setting in /etc/default/boot that controls this.


Related:
http://aplawrence.com/SCOFAQ/scotec1.html
http://aplawrence.com/Bofcusm/1652.html
http://aplawrence.com/Bofcusm/1351.html

--

Please note new phone number: (781) 784-7547

Tony Lawrence
Unix/Linux Support Tips, How-To's, Tests and more: http://aplawrence.com
Free Unix/Linux Consultants list: http://aplawrence.com/consultants.html

Tom Parsons

unread,
Oct 25, 2002, 11:08:57 AM10/25/02
to sco...@xenitec.on.ca
Tony Lawrence enscribed:

| John Galt wrote:
| > Is there a way to prevent authorized users from logging in directly as
| > root on telnet sessions or dialup sessions? I'd like to force the user
| > to log in with their own account, then su to root. System is SCO Open
| > Server 5.0.6.
|
| man login
| or http://stage.caldera.com/cgi-bin/ssl_getmanpage?login+M+OS5+login
|
| It's the CONSOLE setting in /etc/default/boot that controls this.
|
| Related:
| http://aplawrence.com/SCOFAQ/scotec1.html
| http://aplawrence.com/Bofcusm/1652.html
| http://aplawrence.com/Bofcusm/1351.html

Geez, I thought my eyes were bad.

I originally wrote /etc/default/boot but for some reason it bothered me.
So I did the unmentionable and looked it up, couldn't believe what I found,
tested it and changed boot to login.

On at least 5.0.5 and 5.0.6, the CONSOLE entry belongs in /etc/default/login,

:-)

Tony Lawrence

unread,
Oct 25, 2002, 11:29:58 AM10/25/02
to
Tom Parsons wrote:
> Tony Lawrence enscribed:
> | John Galt wrote:
> | > Is there a way to prevent authorized users from logging in directly as
> | > root on telnet sessions or dialup sessions? I'd like to force the user
> | > to log in with their own account, then su to root. System is SCO Open
> | > Server 5.0.6.
> |
> | man login
> | or http://stage.caldera.com/cgi-bin/ssl_getmanpage?login+M+OS5+login
> |
> | It's the CONSOLE setting in /etc/default/boot that controls this.
> |
> | Related:
> | http://aplawrence.com/SCOFAQ/scotec1.html
> | http://aplawrence.com/Bofcusm/1652.html
> | http://aplawrence.com/Bofcusm/1351.html
>
> Geez, I thought my eyes were bad.

That's what I get for doing more than one thing at the same time. I
was talking to someone else about wd.delay while typing this.

>
> I originally wrote /etc/default/boot but for some reason it bothered me.
> So I did the unmentionable and looked it up, couldn't believe what I found,
> tested it and changed boot to login.
>
> On at least 5.0.5 and 5.0.6, the CONSOLE entry belongs in /etc/default/login,
>
> :-)


Sure, that's the TRADITIONAL place to put it :-)

John Galt

unread,
Oct 28, 2002, 4:03:30 PM10/28/02
to
Okay. I've been through the man pages, the web pages and anything else
I could find to see if I was doing this right. But whenever I add:

CONSOLE=tty01
or
CONSOLE=/dev/tty01

to /etc/defaults/login I can't log in as anybody. I don't even get a
login prompt when I telnet in. It says:

Trying 172.16.106.150...
Connected to system2.mydomain.com.
Escape character is '^]'.
Connection closed by foreign host.

as though it's not even starting the login process.

Here's my /etc/default/login file:
CONSOLE=tty01
ALTSHELL=YES
ULIMIT=4194303
PATH=/bin:/usr/bin:/usr/local/bin
OVERRIDE=tty01
PASSREQ=NO
IDLEWEEKS=0
ALLOWHUSH=YES
REUSEUID=YES

Any ideas what I'm doing wrong?

Thanks.

John

Tony Lawrence <to...@pcunix.com> wrote in message news:<apbo1j$t6q$1...@pcls4.std.com>...

John Galt

unread,
Nov 11, 2002, 2:05:40 PM11/11/02
to
I finally figured this out on my own.

I also had to add:
REMOTE_ROOT_OK=1

to the /etc/default/login file along with:

CONSOLE=tty01


Everything is now working. The man pages did not indicate that
REMOTE_ROOT_OK was needed for simple logins. It implied that that
setting would effect only network root logins via rexecd.

Thanks to everyone who helped.

John


Fabio Giannotti <fab...@venmar.com> wrote in message news:<003401c27c2d$91d01160$6700...@venmar.com>...

0 new messages