"only one root login"
Hi all,
I just want to know How can i setup my linux system to allow only one root login ??? i.e. say if a user is logged in as root on system A, then irrespective of whether it is a telnet session or ssh or local login or any other terminal, we should not allow another root login if there is one already... how can i do this ? |
Ummm ... that's a silly idea. What do you do if that one
session gets hung? Reboot the machine? Cheers, Tink P.S.: Please change your font, it's too fat and ugly ;} |
well if u get stuck then there will be no other option other than reboot, do it wisely.
for red hat distro first hash out all entries in /etc/securetty except tty1, so that u can login via root only on one tty1 on the console connected to server/machine. remove suid bit from /usr/bin/sudo, /bin/su, /usr/bin/sudoedit so that no other user can switch user to root via su or sudo if sudoers enabled. In /etc/ssh/sshd_login remove hash from PermitRootLogin & make it no, so that root cannot login to machine via ssh. if you do all this then root can login only via tty1 on console connected to server/machine. i hope this helps. |
Thanks for the replies, :)
yes i had thought of that situation.. in that case what i had thought of an option is to give sudo permission to only one special user which is known only to admin to kill that terminal.. may be i am wrong.. are there any specific way or specific config file that tells about number of root login restrictions ? @maxy7710 and one more thing is if we disable root login in sshd config file ( or remove suid bit from /usr/bin/sudo, /bin/su ) .. and if the root terminal is logged out then it will not be possible for the ssh user or any other user to login as root even though there is no root logged in ? how to solve this problem ? |
As i said if u follow the 3 steps i've told, then u can only login thru tty1 via console attached to server.
if the tty1 hangs then only one option left, which to reboot the server. but if u want u can make one sudo user & give it root permissions in /etc/sudoers & do not remove suidf bit from /usr/bin/sudo. this would be better option. |
Quote:
Once root is logged he can change all those things back. |
root is the system admin & if the roots password is not compromised than having a single root login comes in handy, cos risk of anonymous user tampering u r system minimizes.
|
Quote:
If root password IS compromised than one should reinstall the system If root password IS NOT compromised then only real sys admin can log as root. Once root is logged in there is nothing preventing him from logging again (include undoing any changes that prevent login). And how is it different logging twice on different virtual consoles and say login only once and open two xterm ? |
if the system admin wants only one root login then why would he reverts the changes after logging.
if remote root login is disabled then he wont even be able to open a single virtual console for user root. |
Quote:
|
Quote:
i.e servers are kept in server rooms & limited people have access to it. people who have access are mostly considered trustworthy. so we are minimizing risk of exposing normal users connecting to server or servers exposed to internet. i hope you understand. |
Quote:
The only thing I can think about when it can be somehow useful - preventing two sysadmins from simultaniosly working on one server. But I think it should be solved by administrative means. |
All times are GMT -5. The time now is 07:29 PM. |