Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: why I cannot login by root
Operating Systems AIX why I cannot login by root Post 302175417 by bakunin on Friday 14th of March 2008 12:09:43 AM
Old 03-14-2008
The one possibility (in the ssh config) has already been mentioned. Another possibility would be to (dis-)allow the user root the remote login directly. This is one of the user attributes: check with "lsuser" and if this shows "rlogin=false" change the attribute to "true" by "chuser -a rlogin=true root".

The notion that this poses a security risk is IMHO a misconception. By allowing root to directly login there is no auditing possible any more about who (personally) has logged in. It could be everybody with the root password. If root cannot log in directly the user would have to log in with his normal account and then use "su" to become root. Both events can be logged (/var/adm/wtmp and sulog).

Still, to have an event being auditable does not mean enhanced security by itself. It merely means you can blame it to somebody in case something goes wrong. Further, anybody with a root account could alter these logs so that they are unusable. So this is creating a false sense of security which in fact is not provided by these measures.

bakunin
 

10 More Discussions You Might Find Interesting

1. Answers to Frequently Asked Questions

Lost root password / Can't login as root

We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
Discussion started by: Perderabo
0 Replies

2. AIX

root login

How do I make it so user "root" can not log directly into an AIX server? I want a user to be able to SU to it but not log into it to keep a log (2 Replies)
Discussion started by: breigner
2 Replies

3. Solaris

sunOS 4.x.x root login

I have an old (I mean "dinosaur old") server that is running SunOS 4.1xxx. I need to allow root login ONLY on the console. I've looked in /etc/default for the login file for the "console=/dev/console" parameter is, but there's no 'default" dir in /etc. Can someone help? Thanks (2 Replies)
Discussion started by: antalexi
2 Replies

4. Solaris

Root login password

Hello all, I've a problem with root login password in Solaris. After I installed a patch the root password became empty, so to login as root I don't have to type any password, just username: root. I've tried the passwd command but it still doesn't work... Does anyone knows how can I solve this?... (1 Reply)
Discussion started by: pmpx
1 Replies

5. Solaris

How to allow root login from a specified terminal ?

I want to enable root login just from one terminal machine, can i do that via /etc/default/login in console=/dev/console line ? and if so what i have to type exactly, another question is it normal to edit the files inside defaults directly ? or i can copy it to /etc/ and edit it there and its... (3 Replies)
Discussion started by: XP_2600
3 Replies

6. Solaris

login error as root

Hi i am using sun netra20 server ruuning solaris 9 and while i trying to login as root its showing error as shown below. SunOS 5.9 login:root password: Not on system console Connection to system closed by foreign host But i can login as scadm and su to root...then it is goin to root... (1 Reply)
Discussion started by: gini
1 Replies

7. UNIX Desktop Questions & Answers

only root can login through X window

Dear Friends I'm using Hp-unix release b.11.11 and i'm facing a problem to login through telnet session. i can login only by user root but other users can not login. but if i use x window application like (reflection X) all users can login with no problem. please kindly advice me on how to... (0 Replies)
Discussion started by: hai_jab
0 Replies

8. AIX

Can't login root account due to can't find root shell

Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in. I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies

9. HP-UX

Cannot login root

With my SSH, my HP-UX cannot login to root. It will come out a message su: unknown id: root. But I can login by user oracle. I also cannot login to console either by using root or oracle anymore. What shall I do. (5 Replies)
Discussion started by: surizan
5 Replies

10. Red Hat

Su root or login root

Hi, I find there is some customized linux with application. When I use login account root and type the password. It is not allow to login. But if I login with specified user and password. Then I use command "su - " and type root passwd. It allow you to switch to "root" account . Or if i... (14 Replies)
Discussion started by: chuikingman
14 Replies

LEARN ABOUT OSX

hosts.equiv

HOSTS.EQUIV(5)						      BSD File Formats Manual						    HOSTS.EQUIV(5)

NAME

     hosts.equiv, .rhosts -- trusted remote hosts and host-user pairs

DESCRIPTION

     The hosts.equiv and .rhosts files list hosts and users which are ``trusted'' by the local host when a connection is made via rlogind(8),
     rshd(8), or any other server that uses ruserok(3).  This mechanism bypasses password checks, and is required for access via rsh(1).

     Each line of these files has the format:

	   hostname [username]

     The hostname may be specified as a host name (typically a fully qualified host name in a DNS environment) or address, +@netgroup (from which
     only the host names are checked), or a ``+'' wildcard (allow all hosts).

     The username, if specified, may be given as a user name on the remote host, +@netgroup (from which only the user names are checked), or a
     ``+'' wildcard (allow all remote users).

     If a username is specified, only that user from the specified host may login to the local machine.  If a username is not specified, any user
     may login with the same user name.

EXAMPLES

     somehost
	   A common usage:  users on somehost may login to the local host as the same user name.
     somehost username
	   The	user  username	on  somehost may login to the local host.  If specified in /etc/hosts.equiv, the user may login with only the same
	   user name.
     +@anetgroup username
	   The user username may login to the local host from any machine listed in the netgroup anetgroup.
     +
     + +
	   Two severe security hazards.  In the first case, allows a user on any machine to login to the local host as the same user name.  In the
	   second case, allows any user on any machine to login to the local host (as any user, if in /etc/hosts.equiv).

WARNINGS

     The username checks provided by this mechanism are not secure, as the remote user name is received by the server unchecked for validity.
     Therefore this mechanism should only be used in an environment where all hosts are completely trusted.

     A numeric host address instead of a host name can help security considerations somewhat; the address is then used directly by iruserok(3).

     When a username (or netgroup, or +) is specified in /etc/hosts.equiv, that user (or group of users, or all users, respectively) may login to
     the local host as any local user.	Usernames in /etc/hosts.equiv should therefore be used with extreme caution, or not at all.

     A .rhosts file must be owned by the user whose home directory it resides in, and must be writable only by that user.

     Logins as root only check root's .rhosts file; the /etc/hosts.equiv file is not checked for security.  Access permitted through root's
     .rhosts file is typically only for rsh(1), as root must still login on the console for an interactive login such as rlogin(1).

FILES

     /etc/hosts.equiv  Global trusted host-user pairs list
     ~/.rhosts	       Per-user trusted host-user pairs list

SEE ALSO

     rcp(1), rlogin(1), rsh(1), rcmd(3), ruserok(3), netgroup(5)

HISTORY

     The .rhosts file format appeared in 4.2BSD.

BUGS

     The ruserok(3) implementation currently skips negative entries (preceded with a ``-'' sign) and does not treat them as ``short-circuit'' neg-
     ative entries.

BSD
								 November 26, 1997							       BSD
All times are GMT -4. The time now is 02:09 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy