First, my thanks to:
"Brian T. Wightman" <wightman@sol.acs.uwosh.edu>
peter.allan@aea.orgn.uk (Peter Allan)
Steve Elliott <se@comp.lancs.ac.uk>
covingto@msmary.edu (Michael Covington)
one of whom chastised me for not having RTFM'ed (R'ed TFM?). Well, I
had RTFMs, but it didn't make it very clear (insert lengthy discussion
on the helpfulness of man pages in general and Sun's in particular).
Normally I can figure out what I need to from man pages, but they
weren't too clear on this issue.
Basically, what it comes down to is that labelling a (non-console) tty
insecure in /etc/ttytab will prevent root from logging into it w/a
passwd, but will not prevent rsh/rlogin via /.rhosts. I don't think
this applying to Solaris.
BTW, labelling console insecure won't keep someone w/the root passwd
from logging in on it -- it will simply force the use of the root
password to gain access in single-user mode.
One person seemed to be opposed to the restrictions out of concern
about what I would do if there are network problems. True, it would
make things somewhat more difficult for me, but the security advantage
exceeds the ease-of-administration issue here.
Thanks again,
LT
PS Here's the original question:
> To: Sun Managers <sun-managers@ra.mcs.anl.gov>
> Subject: Restricting Root Access (more selectively)
>
> Is there a way to disable all root logins unless they are rsh'ed from
> a machine in /.rhosts?
>
> What I mean is, I don't want anyone to be able to login as root neither
> on the console, a local terminal, nor on a network line (except if
> they're rsh'ing from a "friendly" machine).
>
> Can this be done?
>
> TIA,
> LT
,-----------------------------------------------------.
| Yale Economics Dep't | Lenny Turetsky |
| System Administrator | lturetsk@econ.yale.edu |
|-------------------------+---------------------------|
| My employers paid for some of my time and energy. |
| My opinions were never for sale. |
`-----------------------------------------------------'
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:15 CDT