Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Disabling remote root login
  • From: Quintin Womack <qwomack@xxxxxxxxxxxxx>
  • Date: Tue, 25 Nov 2003 14:34:01 -0500 (GMT-05:00)
  • Message-id: <5721893.1069788842498.JavaMail.root@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Add

"auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=fail"
to /etc/pam.d/sshd
touch /etc/sshusers
chmod 600 /etc/sshusers
Add "username" to /etc/sshusers where username is the authorized user you would want to be able to login.

In the above "auth required..." line, "onerr" can also have a value of succeed. It depends on how you want the machine to react.

Hope this helps.

Quintin Womack

-----Original Message-----
From: "Watson, Michael" <MWatso@xxxxxxxxxx>
Sent: Nov 25, 2003 9:21 AM
To: "'suse-security@xxxxxxxx'" <suse-security@xxxxxxxx>
Subject: [suse-security] Disabling remote root login

Greetings!

I am experimenting with SuSE 9.0 professional and have encountered something
I don't understand.

I have disabled telnet, allowing only ssh for remote logins. Problem is, I
can ssh from Windows using putty to the test computer and login remotely as
root, even though my /etc/securetty includes only entries for tty1 through
tty6. I don't want to allow remote root logins.

I did find a reference elsewhere to a similar problem, which was caused by
/etc/pam.d/login having its lines for pam_securetty.so and pam_nologin.so
commented out. I've checked my /etc/pam.d/login, and the relevant lines
read:

auth required pam_securetty.so
auth required pam_nologin.so

I was eventually able to disable remote root logins via ssh by setting
"PermitRootLogin" to "no" in /etc/ssh/sshd_config, but I'm still curious why
the settings in securetty don't seem to be working. Can anyone point out
what I'm missing?


Thanks,

Michael Watson
mwatso@xxxxxxxxxx






< Previous Next >