SEO

Our system currently has the /etc/securetty restricting root access to
the console only.

Being the syatem administrator and somewhat remote from the console -
15 miles - I need to be able to log in as root from my PC. However,
the tty addresses are variable,and thus I cannot set up a unique tty in
the securetty file to allow me access.

Is there a way round this so that I do not have to su each time?

Thanks

Hey;

On 2005-04-20, gary.cobden@nhs.net <gary.cobden@nhs.net> wrote:
>
> Our system currently has the /etc/securetty restricting root access to
> the console only.
>
> Being the syatem administrator and somewhat remote from the console -
> 15 miles - I need to be able to log in as root from my PC. However,
> the tty addresses are variable,and thus I cannot set up a unique tty in
> the securetty file to allow me access.
>
> Is there a way round this so that I do not have to su each time?

The reason you want to su each time is for repudiation. You, as
the system manager, need to be able to identify who did what as root.
If you simply allow telnet directly to root, then the only thing you
*might* have is the IP address. Generally not good security practice
and particularly not sarbanes oxley compliant if that matters in
your business.

The requirement to log in as a normal user also provides some security
in depth in that the black hat will have to crack a toe-hold account
before attempting access to root. That provides additional opportunities
for system administrators to detect the black hat's work and stop him
before he does anything that would impact system confidentiality,
integrity, or availability.

About the only plausible way around the prohibition on direct root
login while providing the necessary security is secure shell with
public key authentication. That provides two factor authentication
and requires some set up on the target system that literally can't
happen by accident. Some variants of ssh, f-secure in particular, will
actually log which key was used to access the account thereby providing
the repudiation support that you need. Unfortunately, openssh doesn't
do that - at least not without going to debug level logging which
makes the logging practically worthless.

Doug

under hp-ux what file do i need to edit to make this happen? my box
doesn't have /etc/securetty

gary.cobden@nhs.net wrote:
> Our system currently has the /etc/securetty restricting root access
to
> the console only.
>
> Being the syatem administrator and somewhat remote from the console -
> 15 miles - I need to be able to log in as root from my PC. However,
> the tty addresses are variable,and thus I cannot set up a unique tty
in
> the securetty file to allow me access.
>
> Is there a way round this so that I do not have to su each time?
>
> Thanks

c0re <spiv007@gmail.com> wrote:
> under hp-ux what file do i need to edit to make this happen? my box
> doesn't have /etc/securetty

Just create the file. See the login(1) manual page for details. AFAIK,
a "man -f securetty" would have pointed you there. man(1), if needed
with '-k' or 'f', is your friend.