A.P. Lawrence

Information and Resources for Unix and Linux Systems
Bloggers and the self-employed

Home
Kerio
Sections
- MacOSX
- Linux
- Blogging
- Self-Employment
- Support
Contents
- Most Popular
- Browse All Topics
- Newest Articles
- Random Page
- Surveys
Tests
- Linux
- Mac OS X
- SCO Unix
- Perl
Resources
- Site Forum
- Write for this site
- Find a Consultant
- Contact Info
- RSS Feeds
- Store
- Advertise Here
- Disclaimer
Help
- About
- Rates
- Copyrights
- Contact
- Support

(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Kerio Reseller
Printer Friendly Version

This article is from a FAQ concerning SCO operating systems. While some of the information may be applicable to any OS, or any Unix or Linux OS, it may be specific to SCO Xenix, Open Desktop or Openserver.

There is lots of Linux, Mac OS X and general Unix info elsewhere on this site: Search this site is the best way to find anything.

Unix, Xenix and ODT General FAQ

How can I prevent root logins over telnet?

First, you can limit root logins to a specific device by adding an entry to /etc/default/login:

CONSOLE=/dev/tty01

Hate these ads?

restricts root to the ALT-F1 multiscreen only. Unfortunately, there doesn't seem to be any way to add more than one device with CONSOLE, so that locks root out of tty02 and all the rest.

Less secure, but still useful, is to test within /etc/profile to boot root out of any but the multiscreens. Code to do that might look like:

IAM=`who am i | cut -d" " -f1`
TTY=`tty`
if [ $IAM = "root" ]
then
  case $TTY in
   /dev/tty[0-1][0-9]) : ;;
   *) exit 0;;
   esac
fi

But this simplistic approach can cause problems with single user mode login. To avoid that, you need something that uses "who -r" to test the run-level and avoid the other tests if it isn't multiuser.

The 5.0.6 release adds a REMOTE_ROOT_OK keyword that can be used in /etc/default/login that *will* allow network access while when CONSOLE is set! See "man login" (5.0.6).

Psst - Wanna work for yourself?

Comments

Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Printer Friendly Version

Views for this page
Today	This Week	This Month	This Year	Overall
1	24	79	1,187	2,799

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Printer Friendly Version

More:

- FAQ

Unix/Linux Consultants

Your ad here - $48.00 yearly!

http://www.m3ipinc.com Security, firewalls, ids, audits, vulnerability assesments, BS7799, HIPAA, GLB, incident handling

http://www.vss3.com SCO/Caldera OpenServer, Unixware & Linux. Tarantella & Non-stop Clustering

http://echo3.net/ Unix/Linux Custom Applications, Web Hosting, C/C++ Programming Courses

Twitter

Nov 21 07:55
@loudmouthman: correct, but how do you prove ANYTHING like that is accurate? You can't. A text file is no better or worse than anything.
Nov 21 07:40
@loudmouthman: well, a digital signature could prove it hadn't been altered. Text is no more insecure than anything else in that sense.

Coming Attractions

My Favorites