From: alanriggs@tycoint.com
Date: Wed Jan 05 2005 - 16:10:18 EST
Please pardon the blanket reply, but I believe the information given for
remsh/rlogin is incorrect. The key to the behavior of /etc/securetty is
that it restricts the terminals ("tty") from which root can connect.
Basically, this restricts telnet and console connections. Rlogin uses a
pseudo slave terminal (pts) so it does not get "caught" by the
/etc/securetty net.
Alan Riggs
Manager, Distributed Computing Services
Tyco Safety Products
Boca Raton, Fl
(561)912-6182
alanriggs@tycoint.com
-----Original Message-----
From: Naylor, Jim [mailto:Jnaylor@Schnucks.com]
Sent: Wednesday, January 05, 2005 3:49 PM
To: Hpux-Admin@Dutchworks. Nl (E-mail)
Subject: [HPADM] RE: -SUMMARY- root login with remsh and securetty
Thanks to all for the responses. Original question at bottom. Most agreed
that you just need to put an entry in root's .rhosts file as follows:
mainframe_name mainframe_user_name
This seem to work fine. I was under the assumption that this would not work
because of the securetty but that is not the case.
As pointed out by Eef Hartman:
remsh (but NOT rlogin) is restricted by the root users ".rhosts", not by
/etc/securetty (that is for INTERactive shells only!).
So if you put into the root .rhosts file JUST the single line
<mainframe.domain> root
then THAT machine can use "remsh" and "rcp", but still NO rlogin.
Rather than:
<mainframe.domain> root
I did:
<mainframe.domain> mainframe_user_name
Thanks Again,
-----Original Message-----
From: Naylor, Jim
Sent: Tuesday, January 04, 2005 1:31 PM
To: Hpux-Admin@Dutchworks. Nl (E-mail)
Subject: [HPADM] root login with remsh and securetty
Hello All,
I have been searching the archive but cannot seem to find an answer. We are
running HP-UX 11.0 and have in the file /etc/securetty is one entry
"console". As you all know this is to restrict direct root login to the
console only. What I need to be able to do is allow a remsh from our
mainframe as root but from nowhere else. We are trying to use our mainframe
as a job scheduler which is quite effective as long as none of the jobs
require root to run them. We have a half dozen jobs that do require root to
run them. I was hoping there was a option in securetty or some other method
to specify a single remote system to login as root and still maintain
restrictions from any other. Unfortunately I have not been able to find a
way to do this, thus I post the question to list. Is this possible?
Thanks,
Jim Naylor
Unix/Storage Systems Administrator
Schnuck Markets, Inc.
* Direct (314) 994-4784
))( Cell (314) 691-0186
Fax (314) 994-4684
* E-Mail jnaylor@schnucks.com
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact
majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner:
owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse
only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse &
search)
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact
majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner:
owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse
only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse &
search)
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:45 EDT