Re: preventing direct root login on the 3270 console for SLES10
On Tue, Feb 5, 2008 at 3:11 PM, in message [EMAIL PROTECTED], Terry Spaulding [EMAIL PROTECTED] wrote: -snip- I checked the /etc/sysconfig/displaymanager which has some new entries and some of the entries had different responses compared to SLES9. That shouldn't have anything to do with the console. Has anyone found how to disable direct root login on the 3270 console for SLES10 ? Try commenting out the line with ttyS0 in /etc/securetty Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
I am trying to setup SLES10 to prevent direct login as root on the 3270 console for a SLES10 Linux guest. Terry; In order to do this, you need to remove or comment the entry for ttyS0 in /etc/securetty. It doesn't seem like a good idea in practice, though I couldn't put my finger on exactly why. ok r. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Feb 5, 2008, at 2:11 PM, Terry Spaulding wrote: I am trying to setup SLES10 to prevent direct login as root on the 3270 console for a SLES10 Linux guest. I have disabled that in /etc/ssh/sshd_config with no problem for ssh sessions. Something must be different on SLES10 compared to SLES9. I checked the /etc/sysconfig/displaymanager which has some new entries and some of the entries had different responses compared to SLES9. Has anyone found how to disable direct root login on the 3270 console for SLES10 ? I'm guessing that removing everything from /etc/securetty will do it for you. I presume that if you ever lose the network on a guest, you're OK with attaching the disks to a different guest and fixing it that way? Adam -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Tuesday 05 February 2008 15:11, Terry Spaulding wrote: I am trying to setup SLES10 to prevent direct login as root on the 3270 console for a SLES10 Linux guest. I have disabled that in /etc/ssh/sshd_config with no problem for ssh sessions. Something must be different on SLES10 compared to SLES9. I checked the /etc/sysconfig/displaymanager which has some new entries and some of the entries had different responses compared to SLES9. Has anyone found how to disable direct root login on the 3270 console for SLES10 ? I think you want to comment out lines in /etc/securetty, because the console is treated as a hard-wired tty device. SSH is not involved in logging into the console. See securetty(5) and login(1) for details. - MacK. - Edmund R. MacKenty Software Architect Rocket Software, Inc. Newton, MA USA -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
This was my first thought also, but on second blush, if you have properly set up sudoers, then being able to log in as your own userid, listed in sudoers, is sufficient, and you shouldn't need to log into root from anywhere, in theory. The downside of this theory comes in the form of certain vendor products, which must be installed from root; not from root via an su -, and not from root via sudo, but only from good, old fashioned root at a terminal, having entered the root password. (IBM, you know who you are) -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but in practice, theory and practice are different. On 2/5/08 2:15 PM, Stricklin, Raymond J [EMAIL PROTECTED] wrote: I am trying to setup SLES10 to prevent direct login as root on the 3270 console for a SLES10 Linux guest. Terry; In order to do this, you need to remove or comment the entry for ttyS0 in /etc/securetty. It doesn't seem like a good idea in practice, though I couldn't put my finger on exactly why. ok r. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
My mistake here. I am not preventing direct root login on the 3270 console. Any ID you enter on the 3270 console including root allows for no password or incorrect password. I am thinking I must have something not set correctly in one of the /etc/pam.d files ? Any thoughts ? TIA .. Regards, Terry L. Spaulding [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
To do this, remove or comment the entry for ttyS0 in /etc/securetty. Note that this will make repairing problems harder. The time you need root access on the console most is when everything else is borked, and you already have the CP login password for the virtual machine protecting the console terminal... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
-Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Mark Post Sent: Tuesday, February 05, 2008 2:35 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: preventing direct root login on the 3270 console for SLES10 On Tue, Feb 5, 2008 at 3:15 PM, in message [EMAIL PROTECTED] eing.com, Stricklin, Raymond J [EMAIL PROTECTED] wrote: -snip- It doesn't seem like a good idea in practice, though I couldn't put my finger on exactly why. Ohh, I can. If login for non-root users is broken for any reason, you're done. (Seen that happen a number of times on Intel/AMD systems.) Securing the physical console of a midrange server is usually not an issue, if it's on the raised floor. Not sure who would be wanted to do this. Certainly not anyone that's going to get called in the middle of the night to fix it. Mark Post Easy to bork up in this case: sudo touch /etc/nologin sudo /sbin/shutdown -r now -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Tue, Feb 5, 2008 at 3:15 PM, in message [EMAIL PROTECTED], Stricklin, Raymond J [EMAIL PROTECTED] wrote: -snip- It doesn't seem like a good idea in practice, though I couldn't put my finger on exactly why. Ohh, I can. If login for non-root users is broken for any reason, you're done. (Seen that happen a number of times on Intel/AMD systems.) Securing the physical console of a midrange server is usually not an issue, if it's on the raised floor. Not sure who would be wanted to do this. Certainly not anyone that's going to get called in the middle of the night to fix it. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
Ohh, I can. If login for non-root users is broken for any reason, you're done. (Seen that happen a number of times on Intel/AMD systems.) That's precisely the sort of thing I was thinking of. The nologin situation is also a good one. I haven't worked enough with this part of Linux to have been more specific, so I chose to punt. If we were talking about, for example, Sun or pSeries, I would've been more strenuous in my recommendation. ok r. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: preventing direct root login on the 3270 console for SLES10
On Tue Feb 05 15:46:15 CST 2008, Stricklin, Raymond J [EMAIL PROTECTED] wrote: Ohh, I can. If login for non-root users is broken for any reason, you're done. (Seen that happen a number of times on Intel/AMD systems.) That's precisely the sort of thing I was thinking of. The nologin situation is also a good one. I haven't worked enough with this part of Linux to have been more specific, so I chose to punt. If we were talking about, for example, Sun or pSeries, I would've been more strenuous in my recommendation. ok r. Something we do on my desktop distribution, is require gpg-agent for logging in, if it's installed, and the user has a GPG key (in this case, root). gpg-agent allows you to have more levels of security. You can tie it to the systems xsession file to further secure X sessions... and you can add it to the system profile to to further secure terminal (and console sessions). Depending on how you write your .profile script, it could be required *only* if logging in on the console. What does it do? It requires the person logging in to also enter their gpg key pair passphrase, or get bumped out. It will then cache the passphrase in memory as a daemon during that login session, if you tell it to. How would I deploy it? I'd set your system's /etc/profile or /etc/bash_profile (if root shell is bash) to test for the TTY it's on, if it's on your console TTY, require gpg-agent to execute and finish with a 0 exit code... if any other exit code, exit the shell immediately. Then, keep the passphrase as either an impossible unknown (never allowing root login on console, but user accounts could)... OR Keep the passphrase with whatever responsible management, where only management could release the passphrase if there were an emergency... followed by an act of requiring a passphrase change after such an emergency. This allows you to have a root password + a GNUGP (GPG) passphrase. You can also enable this for network logins, if you wish. Say network logins require authenticating with an SSH key (not a unix password) + a GnuPG passphrase, in a two level authentication. Hope this helps. *Brandon Darbro -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
