Ummm ... that's a silly idea. What do you do if that one
session gets hung? Reboot the machine?


Cheers,
Tink


P.S.: Please change your font, it's too fat and ugly ;}

well if u get stuck then there will be no other option other than reboot, do it wisely.

for red hat distro

first hash out all entries in /etc/securetty except tty1, so that u can login via root only on one tty1 on the console connected to server/machine.

remove suid bit from /usr/bin/sudo, /bin/su, /usr/bin/sudoedit so that no other user can switch user to root via su or sudo if sudoers enabled.

In /etc/ssh/sshd_login remove hash from PermitRootLogin & make it no, so that root cannot login to machine via ssh.

if you do all this then root can login only via tty1 on console connected to server/machine.

i hope this helps.

Thanks for the replies,
yes i had thought of that situation.. in that case what i had thought of an option is to give sudo permission to only one special user which is known only to admin to kill that terminal.. may be i am wrong.. are there any specific way or specific config file that tells about number of root login restrictions ?

@maxy7710
and one more thing is if we disable root login in sshd config file ( or remove suid bit from /usr/bin/sudo, /bin/su ) .. and if the root terminal is logged out then it will not be possible for the ssh user or any other user to login as root even though there is no root logged in ? how to solve this problem ?

As i said if u follow the 3 steps i've told, then u can only login thru tty1 via console attached to server.

if the tty1 hangs then only one option left, which to reboot the server.

but if u want u can make one sudo user & give it root permissions in /etc/sudoers & do not remove suidf bit from /usr/bin/sudo.

this would be better option.

What's the point of allowing only one root login ?
Once root is logged he can change all those things back.

root is the system admin & if the roots password is not compromised than having a single root login comes in handy, cos risk of anonymous user tampering u r system minimizes.

I know that root is system admin, but anyway I can't see what's a point.

If root password IS compromised than one should reinstall the system
If root password IS NOT compromised then only real sys admin can log as root.

Once root is logged in there is nothing preventing him from logging again
(include undoing any changes that prevent login).

And how is it different logging twice on different virtual consoles and say login only once and open two xterm ?

if the system admin wants only one root login then why would he reverts the changes after logging.
if remote root login is disabled then he wont even be able to open a single virtual console for user root.

That's what I don't get - why sysadmin will want to limit his own options in such way

for security

i.e

servers are kept in server rooms & limited people have access to it.

people who have access are mostly considered trustworthy.

so we are minimizing risk of exposing normal users connecting to server or servers exposed to internet.

i hope you understand.

Not really. What "exposing normal users connecting to server" have do with a root login ?

The only thing I can think about when it can be somehow useful - preventing two sysadmins from simultaniosly working on one server.

But I think it should be solved by administrative means.