06-05-2008
Prevent users logging in as root
I would like to know how to prevent users connecting to a server using SSH as root.
I would still like them to be able to login with their username and then change to su.
But I would like to prevent them logging in directly as root.
I have searched the forum and read that I should set PermitRootLogin to no.
I am using Solaris 10 and have opened 'sshd_config' to find the line 'PermitRootLogin' which is already set to 'no' but I can log in as username root.
Any ideas?
Thanks
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi
How can I prevent anyone from logging in as root directly? I have added the line
console=/dev/null
to the file /etc/default/login
I was still able to login as root from the console. Please advice.
Thanks
Srini (4 Replies)
Discussion started by: skotapal
4 Replies
2. UNIX for Dummies Questions & Answers
How to prevent root users from editing files (logs)? Is there any way? (4 Replies)
Discussion started by: vehchi
4 Replies
3. AIX
At the office, we often have to edit one file with VI. We are 4-6 workers doing it and sometimes can be done at the same time.
We have found a problem and want to prevent it with a file lock. Is it possible and how ?
problem :
Worker-a starts edit VI session on File-A at 1PM
Worker-b... (14 Replies)
Discussion started by: Browser_ice
14 Replies
4. AIX
What is the best way to logoff users from my Unix system? I have done a search and found that you can do a w or who - find who is on, and ps-ef | grep <user> and kill their processes. But what if you have a bunch of users and you need them off the system quickly? Killing individual processes... (1 Reply)
Discussion started by: outtacontrol
1 Replies
5. UNIX for Advanced & Expert Users
We have a shared development box, running Solaris 10 that is an NIS client, all the developers have local root password. If they know the NIS uid of another user, they can just do
% useradd -u <uid> login
And then log in as that user and have full access to his files in his home directory. ... (3 Replies)
Discussion started by: nfw
3 Replies
6. Shell Programming and Scripting
Hi,
How do force users to log off Unix through shell? (2 Replies)
Discussion started by: Wahmed9
2 Replies
7. Shell Programming and Scripting
I have a script which do validation check and perform code migration from one env. to another, this is built for users/developers.
How can I prevent this shell script from copy or read from users, as they can modify it and run it as per their requirement where as this has to be standard script and... (1 Reply)
Discussion started by: pramendra
1 Replies
8. Solaris
Dear all,
i have two users user1 and user2 i want force user1 to login first by user2 and then su - user1
i want to prevent logging user1 from console directly (5 Replies)
Discussion started by: maxim42
5 Replies
9. Shell Programming and Scripting
I need to list users in /etc/passwd with root's GID or UID or /root as home directory
If we have these entries in /etc/passwd
root:x:0:0:root:/root:/bin/bash
rootgooduser1:x:100:100::/home/gooduser1:/bin/bash
baduser1:x:0:300::/home/baduser1:/bin/bash... (6 Replies)
Discussion started by: anil510
6 Replies
10. OS X (Apple)
So far nobody on ASC, nor anywhere was able to respond to my issue and Google wasn't much of help either.
I started to experience the issue some time ago: my OS is Lion 10.7.5. It occurs in all apps that have the function of versioning (iWork which I have updated up to v9.2, namely, Pages 4.2,... (0 Replies)
Discussion started by: scrutinizerix
0 Replies
LEARN ABOUT REDHAT
login.krb5
LOGIN(8C) LOGIN(8C)
NAME
login.krb5 - kerberos enhanced login program
SYNOPSIS
login.krb5 [ -fF [username] ]
DESCRIPTION
login.krb5 is a modification of the BSD login program which is used for two functions. It is the sub-process used by krlogind and telnetd
to initiate a user session and it is a replacement for the command-line login program which, when invoked with a password, acquires Ker-
beros tickets for the user.
login.krb5 will prompt for a username, or take one on the command line, as login.krb5 username and will then prompt for a password. This
password will be used to acquire Kerberos Version 5 tickets and Kerberos Version 4 tickets (if possible.) It will also attempt to run aklog
to get AFS tokens for the user. The version 5 tickets will be tested against a local krb5.keytab if it is available, in order to verify the
tickets, before letting the user in. However, if the password matches the entry in /etc/passwd the user will be unconditionally allowed
(permitting use of the machine in case of network failure.)
OPTIONS
-r hostname
pass hostname to rlogind.
-h hostname
pass hostname to telnetd, etc.
-f name
Perform pre-authenticated login, e.g., datakit, xterm, etc.; allow preauthenticated login as root.
-F name
Perform pre-authenticated login, e.g.,for datakit, xterm, etc.; allows preauthenticated login as root.
-e name
Perform pre-authenticated, encrypted login. Must do term negotiation.
CONFIGURATION
login.krb5 is also configured via krb5.conf using the login stanza. A collection of options dealing with initial authentication are pro-
vided:
krb5_get_tickets
Use password to get V5 tickets. Default value true.
krb4_get_tickets
Use password to get V4 tickets. Default value true.
krb4_convert
Use Kerberos conversion daemon to get V4 tickets. Default value false. If false, and krb4_get_tickets is true, then login will get
the V5 tickets directly using the Kerberos V4 protocol directly. This does not currently work with non MIT-V4 salt types (such as
the AFS3 salt type.) Note that if configuration parameter is true, and the krb524d is not running, login will hang for approxi-
mately a minute under Solaris, due to a Solaris socket emulation bug.
krb_run_aklog
Attempt to run aklog. Default value true.
aklog_path
Where to find it [not yet implemented.] Default value $(prefix)/bin/aklog.
accept_passwd
Don't accept plaintext passwords [not yet implemented]. Default value false.
DIAGNOSTICS
All diagnostic messages are returned on the connection or tty associated with stderr.
SEE ALSO
rlogind(8C), rlogin(1C), telnetd(8c)
BUGS
Should use a config file to select use of V5, V4, and AFS, as well as policy for startup.
LOGIN(8C)