[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 658
  • Last Modified:

Lock up root accout

How do you change the settings so that 'root' account can ONLY be used/accessed on the node consol?
It shouldn't be allowed that anyone uses 'root' account to access the node from remote sites.
0
JohnLucania
Asked:
JohnLucania
3 Solutions
 
noondayCommented:
To disable remote login access for your root user, edit the /etc/security/user file. Specify False as the rlogin value on the entry for root.

Seems you have a lot of aix questions here...:)
0
 
JohnLucaniaAuthor Commented:
I view:

/etc/security/user

default:
        admin = false
        login = true
        su = true
        daemon = true
        rlogin = true   ========> do you mean modifying this to 'False'?
        sugroups = ALL
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 0
        account_locked = false
        loginretries = 0
        histexpire = 0
        histsize = 0
        minage = 0
        maxage = 0
        maxexpired = -1
        minalpha = 0
        minother = 0
        minlen = 0
        mindiff = 0
        maxrepeats = 8
        dictionlist =
        pwdchecks =

root:
        admin = true
        SYSTEM = "compat"
        registry = files
        loginretries = 0
        account_locked = false
0
 
noondayCommented:
Not this one. This is under the stanza of "default" which applies to every user id. What you want to is to add "rlogin = false" into the stanza of root since you don't have this entry in it.

So it shoud look like this:

.
.
.
root:
        admin = true
        SYSTEM = "compat"
        registry = files
        loginretries = 0
        account_locked = false
        rlogin = false
.
.
.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
tel2Commented:
It's been years, but I think disabling rlogins will not disable "any" TTY logins.  I think you set "TTY" to "/dev/tty0" or something.  Only necessary if there are TTYs apart from tty0, of course.
0
 
tel2Commented:
Sorry - that should have been:
  ttys = /dev/tty0
I think you can also do this via "smit security".
0
 
Sandy_itCommented:
This blocks users from telnet/rlogin:
# smitty
  ==> Security & Users
    ==> Users
      ==> Change / Show Characteristics of a User
        ==> User NAME                [root]
          ==> User can LOGIN REMOTELY                [false]

If you need to block logins from other serial terminals, you'll have to edit the "Valid TTYs" field from "ALL" to the name of your console device.

Rgds
-Sandy
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now