Very Computer

I need a mechanism to restrict root logins to the console.

If I change the user characteristics "valid TTYs" to the console
you can only "su" to "root" from the console. (this is not practical)

I have submitted a system change request to IBM and they refused.

Can anyone give me advice on a work around?

                             UUCP:     ...philabs!sbcs!bnl!como

Quote:

>I need a mechanism to restrict root logins to the console.

>If I change the user characteristics "valid TTYs" to the console
>you can only "su" to "root" from the console. (this is not practical)

>            Andrew Como

What good is it to restrict root logins to the console if you do allow other
users to su to root from other TTY's?

Anyway, one way of doing this would be to write your own authentication
method.  I've never done this myself, but you define the authentication
methods in the /etc/security/login.cfg file.
--
---------------------------------------------------------------------------

The content of this posting is independent of official IBM position.
External: uunet!cs.utexas.edu!ibmaus!auschs!kleikamp.austin.ibm.com!dave

Quote:>Anyway, one way of doing this would be to write your own authentication
>method.  I've never done this myself, but you define the authentication
>methods in the /etc/security/login.cfg file.

   if (I'm on the console) or (root does NOT own my tty (i.e. I'm su'ed))
      exit successfully
   else
      rant, rave, raise red flags
   endif

should work.... I assume there's TFM on secondary authentication methods....

-- Glenn R. Stone

Quote:>I need a mechanism to restrict root logins to the console.

>If I change the user characteristics "valid TTYs" to the console
>you can only "su" to "root" from the console. (this is not practical)

>I have submitted a system change request to IBM and they refused.

>Can anyone give me advice on a work around?

First the easy way ...

--- iscon.c ---
main ()
{
        char    *cp;

        if ((cp = ttyname (0)) && strcmp (cp, "/dev/console") == 0)
                exit (0);
        else
                exit (1);

Quote:}

Compile that command and store it in /etc as /etc/iscon.  It should
be executable by everyone - mode 555.

Now, in the file /etc/security/user, make the "auth1" attribute in
the root stanza have the value "auth1 = CONSOLE;SYSTEM".  Then edit
the file /etc/security/login.cfg and added the stanza

CONSOLE:
        program = /etc/iscon

Now root is able to login only on the console.

DISCLAIMER:  I've not tried this, but I did work on the code that
implements the security features and this =should= work.  I don't
make any guarantees about this working, and none should be inferred.
--
John F. Haugh II      |      I've Been Moved     |    MaBellNet: (512) 838-4340
SneakerNet: 809/1D064 |          AGAIN !         |      VNET: LCCB386 at AUSVMQ
BangNet: ..!cs.utexas.edu!ibmchs!auschs!snowball.austin.ibm.com!jfh (e-i-e-i-o)

Quote:>Anyway, one way of doing this would be to write your own authentication
>method.  I've never done this myself, but you define the authentication
>methods in the /etc/security/login.cfg file.

Quote:>>>I need a mechanism to restrict root logins to the console.

should do the trick if your other terminals are on the network.
If you have both network and serial terminals, you're going to
have to go to the secondary authentication methods mentioned
earlier.

From: Vance R. Bass                AIX Systems Specialist, IBM Knoxville

        Any resemblance between the above and the official IBM
                  position is purely coincidental.
+----------------------------------------------------------------------+
| You think you know when you learn, are more sure when you can write, |
| even more when you can teach, but certain when you can program.      |
+----------------------------------------------------------------------+

Quote:>What good is it to restrict root logins to the console if you do allow other
>users to su to root from other TTY's?

--
Sean Eric Fagan  | "I made the universe, but please don't blame me for it;

-----------------+           -- The Turtle (Stephen King, _It_)
Any opinions expressed are my own, and generally unpopular with others.

Quote:> In article (Andrew T. Como) writes:

> >I need a mechanism to restrict root logins to the console.

> >If I change the user characteristics "valid TTYs" to the console
> >you can only "su" to "root" from the console. (this is not practical)

> >               Andrew Como

valid TTYs = tty0               FAILS
valid TTYs = /dev/tty0          WORKS

I do not remember if I tried '/dev/console' or not, but '/dev/tty?'
works fine.  This will restrict LOGINS of the user to this device, however
it will not restrict others from switching user to this user while
logged in on other devices.

Brian Zimbelman
President
Innovative Solutions

Disclaimer: Works for me!!!
-----------------------------------------------------------------------------
Innovative Solutions                            (505) 883-4252

Albuquerque, NM 87110                           bbx.basis.com!is!brian

To find out who is su'ing to root, turn on auditing for the appropriate
audit event for all of your users.  su will then cut an audit record
everytime someone uses it.  Each record contains enough information to
figure out who done it.
--
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh

"UNIX signals are not interrupts.  Worse, SIGCHLD/SIGCLD is not even a UNIX
 signal, it's an abomination."  -- Doug Gwyn

auth.debug      /tmp/yourfile /* OR /dev/console, or whatever */

to /etc/syslog.conf file, and wa-la su's will be recorded.

The fix should be in 2007, otherwise you can request it from defect
support.

Quote:>John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh