old-www/LDP/LG/issue55/tag/13.html

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3D.k">
<TITLE>The Answer Guy 55: Remote Login as 'root': Don't do it!  (Except using SSH or ...)</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
	LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P> <hr> 
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
<p align="center">
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]" 
	SRC="../../gx/navbar/prev.jpg" 
	WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/left.jpg" 
	WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]" 
        SRC="../../gx/navbar/toc.jpg" 
	WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
<A HREF="../../index.html"><IMG ALT="[ Front Page ]" 
        SRC="../../gx/navbar/frontpage.jpg" 
	WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]" 
        SRC="../../gx/navbar/faq.jpg"
	WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" 
	WIDTH="15" HEIGHT="45" ALIGN="bottom" >
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]" 
	SRC="../../gx/navbar/next.jpg" 
	WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A>
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
</p>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
	<img src="../../gx/dennis/qbubble.gif" alt="(?)" 
		border="0" align="middle">
	<font color="#B03060">The Answer Guy</font>
	<img src="../../gx/dennis/bbubble.gif" alt="(!)" 
		border="0" align="middle">
</A></H1> 
<BR>
<H4>By James T. Dennis,
	<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
	LinuxCare,
	<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A> 
</H4>
</center>

<p><hr><p>
<!--  endcut ======================================================= -->
<!-- begin 13 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" 
	height="50" width="60" alt="(?) " border="0"
	>Remote Login as 'root': Don't do it!  (Except using SSH or ...)</H3>


<p><strong>From michael.rees on Wed, 07 Jun 2000  
</strong></p>
<!-- ::
Remote Login as 'root': Don't do it!  (Except using SSH or ...)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG>
Hi,
Sorry to bother you
but could you help me with the following??
</STRONG></P>
<P><STRONG>
i am running red hat linux 6.1 and am encountering some problems
i can login as root from the console but not from anywhere else
</STRONG></P>
<P><STRONG>
i have to login as webmaster on all other machines on ntwk
</STRONG></P>
<P><STRONG>
from nowhere, including the console, can i su once logged in as webmaster
</STRONG></P>
<P><STRONG>
any help would be appreciated
</STRONG></P>
<P><STRONG>
Regards,
Michael
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
Your system is enforcing a very reasonable policy by preventing
direct 'root' logins from over the network.
</BLOCKQUOTE>
<BLOCKQUOTE>
The best way to circumvent this policy is to use one of the
implementations of SSH (the original SSH by Tatu Ylonen, now owned
and commmercially available from DataFellows Inc
<A HREF="http://www.datafellows.com"
	>http://www.datafellows.com</A>, or OpenSSH <A HREF="http://www.openssh.com"
	>http://www.openssh.com</A> <TT>---</TT>
which is ironically at a .com rather than a .org domain, or the
GPL'd lsh at <A HREF="http://www.net.lut.ac.uk/psst"
	>http://www.net.lut.ac.uk/psst</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
Any of these should allow you to access your system through
cryptographically secured authentication and session protocols that
protect you from a variety of sniffing, spoofing, TCP hijacking and
other vulnerabilties that are common using other forms of remote
shell access (such as telnet, and the infamous rsh and rlogin
packages).
</BLOCKQUOTE>
<BLOCKQUOTE>
If you really insist on eliminating these policies from your
system you can edit files under <TT>/etc/pam.d</TT> that are used to
configure the options and restrictions of the programs that are
compiled against the PAM (pluggable authentication modules)
model and libraries.  Here's an example of one of them
(<TT>/etc/pam.d/login</TT> which is used by the in.telnetd service):
</BLOCKQUOTE>

<blockquote><pre>#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       required   pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth       required   pam_unix.so nullok

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Standard Un*x account and session
account    required   pam_unix.so
session    required   pam_unix.so

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session    optional   pam_mail.so standard noenv

# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok obscure min=4 max=8

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5
</pre></blockquote>
<BLOCKQUOTE>
This is from my <A HREF="http://www.debian.org/">Debian</A> laptop (mars.starshine.org) and thus has
far more comments (all those lines starting with "#" hash marks)
than those that <A HREF="http://www.redhat.com/">Red Hat</A> installs.  It's good that Debian comments
these files so verbosely, since that's practically the only
source of documentation for PAM files and modules.
</BLOCKQUOTE>
<BLOCKQUOTE>
In this case the entry that you really care about is the
one for 'securetty.so'  This module checks the file
<TT>/etc/securetty</TT> which is classically a list of those terminals
on which your system will allow direct root logins.
</BLOCKQUOTE>
<BLOCKQUOTE>
You could comment out this line in <TT>/etc/pam.d/login</TT> to
disable this check for those services which call the
<TT>/bin/login</TT> command.  You can look for similar lines in
the various other <TT>/etc/pam.d</TT> files so see which other
services are enforcing this policy.
</BLOCKQUOTE>
<BLOCKQUOTE>
This leads us to the question of why your version of 'su'
is not working.  Red Hat's version of 'su' is probably
also "PAMified" (almost certainly, in fact).  So there
should be a <TT>/etc/pam.d/su</TT> file that controls the list of
policies that your copy of 'su' is checking.  You should
look through that to see why 'su' isn't allowing your
'webmaster' account to become 'root'.
</BLOCKQUOTE>
<BLOCKQUOTE>
It seems quite likely that your version of Red Hat contains
a line something like:
</BLOCKQUOTE>

<blockquote><pre># Uncomment this to force users to be a member of group root
# before than can use `su'. You can also add "group=foo" to
# to the end of this line if you want to use a group other
# than the default "root".
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
auth       required   pam_wheel.so
</pre></blockquote>
<BLOCKQUOTE>
Classically the 'su' commands on most versions of UNIX
required that a user be in the "wheel" group in order to
attain 'root'  The traditional GNU implementation did not
enforce this restriction (since rms found it distasteful).
</BLOCKQUOTE>
<BLOCKQUOTE>
On my system this line was commented out (which is presumably
the Debian default policy, since I never fussed with that
file on my laptop).  I've uncommented here for this example.
</BLOCKQUOTE>
<BLOCKQUOTE>
Note that one of the features of PAM is that it allows you
to specify any group using a command line option.  It defaults
to "wheel" because that is an historical convention.  You can
also use the pam_wheel.so module on any of the PAMified
services <TT>---</TT> so you could have programs like 'ftpd' or
'xdm' enforce a policy that restricted their use to members
of arbitrary groups.
</BLOCKQUOTE>
<BLOCKQUOTE>
Finally note that most recent versions of SSH have PAM support
enabled when they are compiled for Linux systems.  Thus you
may find, after you install any version of SSH, that you have
an <TT>/etc/pam.d/ssh</TT> file.  You may have to edit that to set some
of your preferred SSH policies.  There is also an sshd_config
file (mine's in <TT>/etc/ssh/sshd_config</TT>) that will allow you to
control other ssh options).
</BLOCKQUOTE>
<BLOCKQUOTE>
In generall the process of using ssh works something like this:
</BLOCKQUOTE>
<BLOCKQUOTE><ol>
<li>Install the sshd (daemon) package on your servers (the systems
that you want to access)
<li> Install the ssh client package on your clients (the systems
from which you'd like to initiate your connections).
<li> Generate Host keys on all of these systems (normally done
for you by the installation).
</ol></BLOCKQUOTE>
<BLOCKQUOTE>
.... you could stop at this point, and just start using the
ssh  and slogin commands to access your remote accounts using
their passwords.  However, for more effective and convenient use
you'd also:
</BLOCKQUOTE>
<BLOCKQUOTE><ol start="4">
<li> Generate personal key pairs for your accounts.
<li> Copy/append the identity.pub (public) keys from
each of your client accounts into the <tt>~/.ssh/authorized_keys</tt>
files on each of the servers.
</ol></BLOCKQUOTE>
<BLOCKQUOTE>
This allows you to access those remote accounts without using
your passwords on them.  (Actually sshd can be configured to
require the passwords AND/OR the identity keys, but the default
is to allow access without a password if the keys work).
</BLOCKQUOTE>
<BLOCKQUOTE>
Another element you should be aware of is the "passphrases" and
the ssh-agent.  Basically it is normal to protect your private
key with a passphrase. This is sort of like a password <TT>---</TT> but
it is used to decrypt or "unlock" your private key.  Obviously
there isn't much added convenience if you protect your private
key with a passphrase so that you have to type that every time
you use an ssh/slogin or scp (secure remote copy) command.
</BLOCKQUOTE>
<BLOCKQUOTE>
ssh-agent allows you to start a shell or other program, unlock
your identity key (or keys), and have all of the ssh commands
you run from any of the descendents of that shell or program
automatically use any of those unlocked keys.  (The advantage
of this is that the agent automatically dies when you exit the
shell program that you started.  That automatically "locks" the
identity <TT>---</TT> sort of.
</BLOCKQUOTE>
<BLOCKQUOTE>
There are alot of other aspects to ssh.  It can be used to
create tunnels, through which one can use all sorts of
traffic.  People have created PPP/TCP/IP tunnels that run
through ssh tunnels to support custom VPNs (virtual private
networks). When run under X, ssh automatically performs
"X11 forwarding" through one of the these tunnels.  This
is particularly handy for running X clients on remote systems
beyond a NAT (IP Masquerading) router or through a proxying
firewall.
</BLOCKQUOTE>
<BLOCKQUOTE>
In other words ssh is a very useful package quite apart from
its support for cryptographic authentication and encryption.
</BLOCKQUOTE>
<BLOCKQUOTE>
In fairness I should point out that there are a number of
alternatives to ssh.   Kerberos is a complex and mature suite
of protocols for performing authentication and encryption.
STEL is a simple daemon/client package which functions just
like telnetd/telnet <TT>---</TT> but with support for encrypted sessions.
And there are SSL enabled versions telnet and ftp daemons and
clients.
</BLOCKQUOTE>
<BLOCKQUOTE>
Another issue where I talked a bit about crypto software
available for Linux:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQuote>
<A HREF="http://www.linuxgazette.com/issue35/tag/crypto.html"
	>http://www.linuxgazette.com/issue35/tag/crypto.html</A>
</BLOCKQuote></BLOCKQUOTE>
<BLOCKQUOTE>
Another issue where I answer questions about remote root
logins:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQuote>
<A HREF="http://www.linuxgazette.com/issue35/tag/remoteroot.html"
	>http://www.linuxgazette.com/issue35/tag/remoteroot.html</A>
</BLOCKQuote></BLOCKQUOTE>

<!-- end 13 -->
<!--startcut ======================================================= -->
<P> <hr> </p>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
	>Copyright &copy;</a> 2000, James T. Dennis 
<BR>Published in <I>The Linux Gazette</I> Issue 55 July 2000</H5>
<H6 ALIGN="center">HTML transformation  by
	<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
	Tuxtops, Inc.,
	<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A> 
</H6>
<P> <hr> 
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<p align="center">
<table width="100%" border="0"><tr>
<td align="right" valign="center"
	><IMG ALT="" SRC="../../gx/navbar/left.jpg"
        WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0">
<A HREF="../lg_answer55.html"
	><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
              ALT="[ Answer Guy Current Index ]" border="0"></A></td>
<td align="center" valign="center"><A HREF="../lg_answer55.html#greeting"><img align="middle"
	src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A> &nbsp;
  <A HREF="1.html">1</A> &nbsp;
  <A HREF="2.html">2</A> &nbsp;
  <A HREF="3.html">3</A> &nbsp;
  <A HREF="4.html">4</A> &nbsp;
  <A HREF="5.html">5</A> &nbsp;
  <A HREF="6.html">6</A> &nbsp;
  <A HREF="7.html">7</A> &nbsp;
  <A HREF="8.html">8</A> &nbsp;
  <A HREF="9.html">9</A> &nbsp;
  <A HREF="10.html">10</A> &nbsp;
  <A HREF="11.html">11</A> &nbsp;
  <A HREF="12.html">12</A> &nbsp;
  <A HREF="13.html">13</A> &nbsp;
<br>
  <A HREF="14.html">14</A> &nbsp;
  <A HREF="15.html">15</A> &nbsp;
  <A HREF="16.html">16</A> &nbsp;
  <A HREF="17.html">17</A> &nbsp;
  <A HREF="18.html">18</A> &nbsp;
  <A HREF="19.html">19</A> &nbsp;
  <A HREF="20.html">20</A> &nbsp;
  <A HREF="21.html">21</A> &nbsp;
  <A HREF="22.html">22</A> &nbsp;
</td>
<td align="left" valign="center"><A HREF="../../tag/kb.html"
	><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
              ALT="[ Index of Past Answers ]" border="0"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
        WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
</p>
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr> 
<!-- *** BEGIN navbar *** :::::::::::::::::::::::::::::::::::::::::::::::: -->
<p align="center">
<A HREF="../lg_bytes55.html"><IMG ALT="[ Prev ]" 
	SRC="../../gx/navbar/prev.jpg" 
	WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/left.jpg" 
	WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom" >
<A HREF="../index.html"><IMG ALT="[ Table of Contents ]" 
        SRC="../../gx/navbar/toc.jpg" 
	WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A>
<A HREF="../../index.html"><IMG ALT="[ Front Page ]" 
        SRC="../../gx/navbar/frontpage.jpg" 
	WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<A HREF="../../faq/index.html"><IMG ALT="[ FAQ ]" 
        SRC="../../gx/navbar/faq.jpg"
	WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A>
<IMG ALT="" SRC="../../gx/navbar/right.jpg" 
	WIDTH="15" HEIGHT="45" ALIGN="bottom" >
<A HREF="../lg_tips55.html"><IMG ALT="[ Next ]" 
	SRC="../../gx/navbar/next.jpg" 
	WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A>
<!-- *** END navbar *** :::::::::::::::::::::::::::::::::::::::::::::::::: -->
</p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->