sonriks
asked on
how do I disable direct root login on HP-UX servers?
how do I disable direct root login on HP-UX servers?
Remove root entry on the shadow file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, svs! sudo is setup on all the servers.
Question though, We have root ssh keys setup on all the servers to enable passwordless login among servers. Will making the change you suggest require removal of the entries in the authorized_keys files? Or will it override the ability to login as root among servers?
Question though, We have root ssh keys setup on all the servers to enable passwordless login among servers. Will making the change you suggest require removal of the entries in the authorized_keys files? Or will it override the ability to login as root among servers?
It will override, yes. The manual page for sshd_config has more info on this.
ASKER
svs,
The time came for me to implement. I disabled PermitRootLogin in the sshd_conf, and had a lot of issues cuz now the ssh keys are not working, as you said earlier would happen. Caused a lot of problems in production. I'm going to look into the man pages for a solution. Am wondering if you have any ideas off the bat on what change I should make to get the root passwordless communication between servers to work again.
The time came for me to implement. I disabled PermitRootLogin in the sshd_conf, and had a lot of issues cuz now the ssh keys are not working, as you said earlier would happen. Caused a lot of problems in production. I'm going to look into the man pages for a solution. Am wondering if you have any ideas off the bat on what change I should make to get the root passwordless communication between servers to work again.
You could run two instances of sshd one on 22 that does not permit root login.
And another instance on a specially designated port that does allow root login.
i.e. 300.
And another instance on a specially designated port that does allow root login.
i.e. 300.
With or without disabling the root user or locking out their password (presumes you have sudo setup to elevate rights of one or several administrative users)?