Deny root rlogin

funksen · January 25, 2007, 8:08am

Hi,

I have to forbid root-logins on all my servers, expect from two machines, these 2 machines login with root without a password

it was quite easy with ssh, but I have a problem regarding rsh/rlogin, an there
are a lot of rsh jobs, so it would take a lot of time to change all this scripts to ssh

it sould work like the sshd_config entry: "PermitRootLogin without-password" just for rsh

telnet is deactivated

I cannot install an ip-wrapper (well I can but I shouldn't :)) , so I have to realise this just with base AIX tools, I searched for a day, but couldn't find a solution for my problem

I hope you guys can help

(AIX5.3 ML 03 and AIX5.3 TL 05 fp4)

thanks in advance

funksen

cero · January 25, 2007, 9:16am

I guess you only want to deactivate remote login for root.

chuser rlogin=false root

should do the job or use
smitty=>Security & Users=>Login Controls=> Change / Show Login Attributes for a User=> User NAME=root =>User can LOGIN REMOTELY(rsh,tn,rlogin)?=false

funksen · January 25, 2007, 9:21am

thanks for the reply, but two machines still have to root login without password on all other machines, your solution would forbid every remote root login at all

sysgate · January 25, 2007, 9:24am

Possible workaround ? :
As root, edit /etc/inetd.conf ; Comment out the line 'login ... rlogin'
Run 'inetimp' ; Run 'refresh -s inetd'
Hope this helps.

funksen · January 25, 2007, 9:49am

hi sysgate

thats almost what I wanted, I'll keep that in mind if I cannot find another solution

thanks!

the problem is, that every rlogin is forbidden this way, but other users should be able to rlogin

I would loose remote control over the machine if sshd hangs, not a big problem for hmc systems, but bad for standalone systems