Allowing root login to system console only
Kristin Heard
console. I've only been able to achieve this by also taking
away "su" priviledges from all other ttys, so that the only
place you can gain root access is at the console. I still want
to be able to "su" from other ttys, but just be able to login
directly only from the console. Anyone know how to achieve
this or where I can find the info to achieve this? Thanks in
advance.
Kristin Heard khe...@melita.com
Melita International
Norcross, Georgia
Michael Abel
root user (e.g. set it to hft/0) in order to let the
root user login only at the console.
Regards,
Michael
In article <49njpa$r...@melita.melita.com>,
Michael Abel
Mathew A. Hennessy
>Use the TTY attribute of the user definitions of the
>root user (e.g. set it to hft/0) in order to let the
>root user login only at the console.
Will this let you run x-windows as root, though, and allow you to
open pty's? I think I've had trouble with this.. If you're gonna have only
a single tty root login-able, you'd probably best use a terminal if possible
>Regards,
>Michael
--
Mathew A. Hennessy | NASD, IBM (infoSage project). AIX/SunOS/Solaris/MS
henn...@pepper.spicerack.ibm.com | IBM doesn't pay me to speak, so I don't
"Rngvat xvggraf vf whfg cynva jebat, naq ab-bar fubhyq qb vg, rire!!" -Gur Gvpx
"Lbh'yy cnl _ZR_ gb xabj jung lbh _ERNYYL_ guvax!" - W. E. "ObO" Qboof
Robert M. DiGioia
>
>I want to allow root to log in directly only from the system
>console. I've only been able to achieve this by also taking
>away "su" priviledges from all other ttys, so that the only
>place you can gain root access is at the console. I still want
>to be able to "su" from other ttys, but just be able to login
>directly only from the console. Anyone know how to achieve
>this or where I can find the info to achieve this? Thanks in
>advance.
>
>
>Kristin Heard khe...@melita.com
>Melita International
>Norcross, Georgia
>
>
correct that setting the allowed tty attribute on the user will also prevent anyone from su'ing to that id
except from the allowed terminal, as I tried that also.
To do what you want, you have to write your own authentication method. It isn't too hard, but it is not
well documented in AIX. I wrote a piece of code (enclosed) that should do what you want. I tested
it on a 250, 570, and 590 all running 3.2.5.
To compile the attached program, use cc -ochklogintty chklogintty.c
Move the binary somewhere, I'll assume /bin/local. Since it is called as part of login, it runs as root, so
you might want to make sure that no one can write to it.
Create a new stanza in /etc/security/login.cfg for the new method:
restricttty:
program=/bin/local/chklogintty
In the /etc/security/user file, find the user you want to restrict (I'll assume user foo). There will be a
user stanza like
foo:
passwd=...
expires=...
...
auth1=SYSTEM
change it to
auth1=SYSTEM,restricttty;foo:/dev/tty0
or you can do this step in smit. On the user form, scroll down to Primary Authentication Method. It
should say SYSTEM. You want to change it to SYSTEM,restricttty;<userid>:<path for allowed tty>.
You can't use the secondary authentication for this as AIX will allow a login even if the secondary
authentication method fails (which makes it kinda useless...).
AIX handles authentication chains as a series of comma delimited methods. The SYSTEM method is
what normally authenticates users, and you don't want to change that. Each method can specify a
single argument by appending semicolon followed by the argument. If there is no argument (as on
SYSTEM), AIX sticks in the user id. Since I wanted to know both the user id (for logging) and what
terminal to allow a login on, I merged them into a single argument seperated by a colon.
As far as limitations, the only one I can think of is that it supports allowing the user to login only on a
single tty. Perhaps someone else might feel like extending it to use regular expressions or something.
One piece of wierdness: to indicate to AIX that the login should fail, an authentication method should
have a non-zero exit code. However, login will display the everpopular message 'You entered an
invalid login name or password', and I could not figure out how to stop it, so chklogintty will output a
message like '<user> not allowed to login on <tty>' to help clarify why the login failed.
I would suggest that you create a test user id to play with before impacting any real user.
If you have any problems or questions, feel free to e-mail me...
Cheers,
-Robert
--
/****************************************************************************
**
* :vi set tabstop=4 *
* *
* Name : chklogintty *
* Function : allows a user to login only on a specified terminal while *
* allowing other users to su to the user regardless of terminal*
* Author : Robert M. DiGioia (digi...@cyberatl.net) *
* Status : Freeware. *
* *
****************************************************************************
**/
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <syslog.h>
int
main(int ac, char *av[])
{
char *authTty;
char *cp;
char *id;
char *loginTty;
char *pgmName;
int ec;
extern int errno;
/* save pgm basename */
if ((cp = strrchr(av[0], '/')) == NULL)
pgmName = strdup(av[0]);
else
pgmName = strdup(cp + 1);
if (pgmName == NULL)
{
fprintf(stderr, "%s: strdup failed: %s\n", av[0], strerror(errno));
exit(-2);
}
/* set up logging to syslog */
openlog(pgmName, LOG_PID|LOG_CONS, LOG_AUTH);
if (ac != 2)
{
syslog(LOG_DEBUG, "%s: called with %d parameters, expected 1\n",
pgmName, ac - 1);
closelog();
exit(-3);
}
/* check for proper syntax, av[1] should be id:ttyname */
if ((cp = strchr(av[1], ':')) == NULL)
{
syslog(LOG_DEBUG, "%s: invalid argument %s; should be id:ttyname\n",
pgmName, av[1]);
closelog();
exit(-4);
}
/* divide av[1] into two variables, id and tty */
*cp = '\0';
if ((id = strdup(av[1])) == NULL)
{
syslog(LOG_DEBUG, "%s: strdup failed: %s\n", av[0], strerror(errno));
closelog();
exit(-5);
}
if ((authTty = strdup(cp + 1)) == NULL)
{
syslog(LOG_DEBUG, "%s: strdup failed: %s\n", av[0], strerror(errno));
closelog();
exit(-6);
}
/* see if stdin is a tty, if so, try to authenticate, if not exit quietly */
if (isatty(0))
{
/* get the ttyname */
loginTty = ttyname(0);
/* if logging in, uid = euid = 0
* if su, uid = uid, euid = 0
* therefore, if uid = euid a login is being attempted
* (if root is su'ing to someone, uid = euid, but root can su to any id
* without authentication so this pgm would not be called)
*/
if (getuid() == geteuid())
{
if (strcmp(cp, av[1]) == 0) /* login on allowed tty */
syslog(LOG_ALERT, "%s: %s login allowed on
%s\n",
pgmName, id, loginTty);
else
/* login on disallowed tty */
{
printf("%s not allowed to login on %s\n\n", id,
loginTty);
syslog(LOG_ALERT, "%s: %s login denied on %s\n",
pgmName, id, loginTty);
ec = -1;
}
}
}
closelog();
exit(ec);
}
------------------------------------------------------------------------------------
Robert M. DiGioia | Opinions are mine,
digi...@cyberatl.net | facts are generally stolen
------------------------------------------------------------------------------------
Scott A. Chapman
It basically describes adding an entry to /etc/security/login.cfg I think
doing a chuser and adding another check for authorization. You also
have to type in a little C program, and I mean tiny also.
I did put the same check in /etc/profile so it caught come other things too.
If you cant find the fax from IBM, send me a quick mail and I will see if
I can dig it out of my pile, er I mean desk.. ;-)
Kristin Heard (khe...@melita.com) wrote:
: I want to allow root to log in directly only from the system
: console. I've only been able to achieve this by also taking
: away "su" priviledges from all other ttys, so that the only
: place you can gain root access is at the console. I still want
: to be able to "su" from other ttys, but just be able to login
: directly only from the console. Anyone know how to achieve
: this or where I can find the info to achieve this? Thanks in
: advance.
: Kristin Heard khe...@melita.com
: Melita International
: Norcross, Georgia
--
--
Scott Chapman
Unix Systems Admin _/ _/ _/ _/ _/_/_/
United HealthCare Corp. _/ _/ _/ _/ _/ _/
E-Mail: s...@uhc.com _/ _/ _/_/_/_/ _/
AT&T: (612) 797-4902 _/ _/ _/ _/ _/ _/
Fax: (612) 797-4333 _/_/_/ _/ _/ _/_/_/
Route: MN10-W116
Michael Wojcik
> You can't use the secondary authentication for this as AIX will allow a
>login even if the secondary
>authentication method fails (which makes it kinda useless...).
Only if "authentication" means "allowing or denying login". It could be
used for other purposes. When I was at a shop that used AFS (Andrew File
System), for example, it had a separate Kerberos-based authentication
system that obtained a token for AFS file access. If the Kerberos
server was down, or a user who wasn't in the Kerberos user database logged
in, they could get local file access but not shared file access. That's
useful in some situations.
Michael Wojcik m...@mfltd.co.uk
AAI Development, Micro Focus Inc.
Department of English, Miami University
Jason A Lindquist
> I want to allow root to log in directly only from the system
> console. I've only been able to achieve this by also taking
> away "su" priviledges from all other ttys, so that the only
> place you can gain root access is at the console. I still want
> to be able to "su" from other ttys, but just be able to login
> directly only from the console. Anyone know how to achieve
> this or where I can find the info to achieve this? Thanks in
> advance.
In /etc/security/user, look at the entry for root... mine is:
root:
admin = true
rlogin = false
root may log in on the console (either plain console or XDM login)
but not remotely, even by remote XDM... it MUST be the system
console. su to root is still allowed. You can also do this
directly from smu^Hit... it's the "User can rlogin?" entry.
You should set this to "false" for at least root, if not for
all other UID 0 accounts you may have.
[Note, this is on an AIX 3.2.5 system... I haven't looked at
our 4.1.2 box yet.]
JL
--
"... And that isn't flying a thousand miles an hour,
Jason A. Lindquist or a million, or flying at the speed of light.
li...@uiuc.edu <*> Because any number is a limit, and perfection
doesn't have limits..." -- Chiang Seagull
H.G.Borrmann
: In /etc/security/user, look at the entry for root... mine is:
: root:
: admin = true
: rlogin = false
: root may log in on the console (either plain console or XDM login)
: but not remotely, even by remote XDM... it MUST be the system
: console. su to root is still allowed. You can also do this
: directly from smu^Hit... it's the "User can rlogin?" entry.
: You should set this to "false" for at least root, if not for
: all other UID 0 accounts you may have.
: [Note, this is on an AIX 3.2.5 system... I haven't looked at
: our 4.1.2 box yet.]
: JL
: --
: "... And that isn't flying a thousand miles an hour,
: Jason A. Lindquist or a million, or flying at the speed of light.
: li...@uiuc.edu <*> Because any number is a limit, and perfection
: doesn't have limits..." -- Chiang Seagull
this is wrong. Everyone can rlogin or telnet with some userid and simply
enter "login root". If she/he knows the password, she/he is logged in
as root. Disabling rlogin for root is not enough. My system is AIX.3.2.5.
--
._________________________________________________________________________.
|H.G.Borrmann |Tel.: (0761) 203-4652 |
|Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 |
|Hermann-Herder-Str. 10 |email: |
|D79104 FREIBURG |borr...@ibm1.ruf.uni-freiburg.de|
|_________________________________________________________________________|