>I need a mechanism to restrict root logins to the console.
>If I change the user characteristics "valid TTYs" to the console
>you can only "su" to "root" from the console. (this is not practical)
>I have submitted a system change request to IBM and they refused.
>Can anyone give me advice on a work around?
The information you are looking for is documented with the system
security features. What you want is an authentication method that
will allow you to specify that the method only runs on the console
(the easy way) or that there is a file containing user/port mappings.
First the easy way ...
--- iscon.c ---
if ((cp = ttyname (0)) && strcmp (cp, "/dev/console") == 0)
Compile that command and store it in /etc as /etc/iscon. It should
be executable by everyone - mode 555.
Now, in the file /etc/security/user, make the "auth1" attribute in
the root stanza have the value "auth1 = CONSOLE;SYSTEM". Then edit
the file /etc/security/login.cfg and added the stanza
program = /etc/iscon
Now root is able to login only on the console.
DISCLAIMER: I've not tried this, but I did work on the code that
implements the security features and this =should= work. I don't
make any guarantees about this working, and none should be inferred.
John F. Haugh II | I've Been Moved | MaBellNet: (512) 838-4340
SneakerNet: 809/1D064 | AGAIN ! | VNET: LCCB386 at AUSVMQ
BangNet: ..!cs.utexas.edu!ibmchs!auschs!snowball.austin.ibm.com!jfh (e-i-e-i-o)