disabling telnet login for root only

manoj.solaris · August 20, 2008, 9:07am

Hi,

I want to disable telnet login for root only so that other users can telnet?

Regards,
Manoj

otheus · August 20, 2008, 11:34am

The easiest, portable way is to use the tcpd/tcp_wrappers library by Wietse Venema. With this, /etc/services does not contain the telnetd program directly, but a line that invokes the program "tcpd" which in turn checks the files /etc/hosts.allow and /etc/hosts.deny. In these files, you can set policies however you desire (per process, per user, per source host).

Do a man on hosts_access (5).

traken · August 20, 2008, 11:50am

Or add ssh and drop telnet, the ssh config allows the blocking of root access.

otheus · August 20, 2008, 11:57am

I'll just add that ssh is installed in Solaris version 7 or 8 and greater, but it's best if you get the latest version, since older versions have known exploits.

honeym210 · August 20, 2008, 1:22pm

i think this will help you,
this is /etc/hosts.equiv file
use the highlighted one,
like, enter this line at the end...

hostname -root

try this entry for root.

thanks

bakunin · August 20, 2008, 5:33pm

Do you want to disable the telnet login only or remote login in general? If the latter is the case use the "chuser" command to revoke the "rlogin" right for root You can also revoke the "login" right to disable root login via a console. See the manpage for "chuser" for the details. Revoking both rights will still retain the possiblity to log on as user and use "su" to become root. It only prevents logging in as root.

chuser modifies the file /etc/security/login but it is better to use the system commands instead of modifying the file directly. Therefore use "chuser" instead of editing the file.

I hope this helps.

bakunin

otheus · August 21, 2008, 3:17am

This is incorrect. This applies to rsh/rlogin. It's safer to remove /etc/hosts.equiv.

Locki · August 22, 2008, 1:30am

chuser rlogin=false root

and it will disable direct remote login with telnet, or rlogin (only console login is allowed)

BUT ssh login still do it if the sshd_config is not properly configured and the rexec commands for users accredited in the ".rhost" files also

ravager · August 22, 2008, 6:42pm

chuser rlogin='false' root ( This will disable login for the root user directly )
users can then just login and su to root

If you have setup your system to be more secure this should be your standard of work
I would also recommend you use SSH as telnet is not the best choice as far as security go's
To allow you to capture all logins make sure that you use syslog to log system access and increase logging for stuff in inetd.conf