Host Security  «Prev  Next»

Lesson 9 Controlling root login access
ObjectiveControlling the Root Login Process

Controlling Root Login Access

The root login is very powerful since several keystrokes can cause major problems. For example, rm *.* will delete everything in the directory in which the command is executed. For this reason, access to the root login should be limited to a small number of system administrators, and should also be limited to where it can be used. Although it may be convenient to remotely login as root, it is an easy way for a cracker to break in.

Why root remote login is bad

Remote root login presents an immediate line of attack on your machine.
There is no need for the cracker to gain access as another user. Since remote root login allows administrators to easily log in as root over the network, there is the real danger that a cracker might steal the password via dictionary attacks applied directly to the root account.

Allowing root login

You will need to make configuration changes to allow root logins only where absolutely necessary.
The file /etc/securetty lists those areas from which the root user may log in:
Consoles DESCRIPTION Recommendation for the /etc/securetty file
tty1 ... Direct virtual consoles (<Alt-><F1>) Leave available for problem solving
ttyS0 ... Serial consoles used by mgetty Should not be available
0 ... Virtual consoles Should not be available, otherwise root

Note, however, that even if you disallow root login from network connections, administrators who log in from the network will still be able to use the su (superuser) command to log in as root, potentially revealing the root password if a secure connection is not used. However, if you use OpenSSH, you can safely administer your machine remotely.
The following MouseOver shows you the contents of a typical /etc/securetty file.

Secure Tty
  1. This command lists the contents of the /etc/securetty file
  2. This shows that the first direct virtual console is available
  3. This shows that the second direct virtual console is available
  4. This shows that the third direct virtual console is available.
  5. This shows that the fourth direct virtual console is available
  6. This shows that the fifth direct virtual console is available.
  7. This shows that the sixth direct virtual console is available
  8. This shows that the seventh direct virtual console is available
  9. This shows that the eigth direct virtaul console is available

How do I control root login access using securetty

To control root login access using a secure TTY[1] , you can edit the file "/etc/securetty". This file lists the TTY devices that root is allowed to log in to. By default, root is only allowed to log in to the TTYs listed in this file. If you want to prevent root from logging in through a particular TTY, you can remove it from this file. For example, to prevent root from logging in through TTY1, you can open the file "/etc/securetty" using a text editor and remove the line "tty1" from it. Then, save the file and close the text editor.
It's worth noting that this method does not offer a high security level since a person with physical access can reboot your machine and use another terminal or even a live cd to access your system as root, an instead you should use ssh key based authentication , in combination with setting up some sort of firewall to only allow authorized IP addresses to connect to your machine via ssh.

/etc/securetty

The /etc/securetty file allows you to specify which TTY devices the root user is allowed to login on. The /etc/securetty file is read by the login program usually /bin/login. Its format is a list of the tty devices names allowed, and for all others that are commented out or do not appear in this file, root login is disallowed. Disable any tty that you do not need by commenting them out # at the beginning of the line. Edit the securetty file vi, /etc/securetty and comment out the following lines:
 tty1
 #tty2
 #tty3
 #tty4
 #tty5
 #tty6
 #tty7
 #tty8

Which means only root is allowed to login on tty1. This is my recommendation, allowing root to log in only on one tty device and use the su command to switch to root if you need more. devices to log in as root.

Pre-Installed Linux Laptop
The next lesson explains the use of the sudo command.
[1]secure TTY : TTY is an abstract device in UNIX and Linux. Sometimes it refers to a physical input device such as a serial port, and sometimes it refers to a virtual TTY where it allows users to interact with the system.