Root login

Similar Messages

• Control root login

  Hi,
  Does there is any option to control root login via ssh or su. At a time only one person can login via ssh or su
  If any other trying to access it will throws error like "Already in use"
  Regards
  Siva

  Through SSH, You can use PermitRootLogin directive to control root login.
  To allow specific users to ssh, use AllowUsers directive
  To control su, through sshed teminal, tweak PAM settings.
  To limit only one session / Server use IPtables and use "HITCOUNT" option.

• Passwod for Root login in Terminal:

  It seems I had set up the login password for the Administrator that shows when you start/restart the system different from the root login of the terminal. Is that possible?
  I lost my root password, and clueless. My login to the computer using Administrator' name is working fine. But when I enter su at terminal, it asks for the password, and the password seems different from the login password of the administrator. How to reset the root login password?
  Please help.

  By default, root login is disabled, so no password you enter is going to work.
  You can use /Applications/Utilities/NetInfo Manager to enable or disable the root account.
  Alternatively, if you really need a root shell, use sudo -s (assuming your account is in the admin group and can use sudo). This is actually the preferred method of obtaining a root shell.

• Solaris 11 AutoInstaller service profile for ssh to enable root logins?

  Hi Guys,
  I have got a basic system configuration profile that sets various things for my newly installed solaris 11 client.
  I was curious if anyone has a xml service configuration declaration I could use that configures the ssh service to allow remote root logins.
  I'd appreciate it.

  SSH configuration is not held in SMF but in /etc/ssh/sshd_config so it is not currently possible to use just an AI/SC manifest & profile to do what you ask.
  You need do deliver an updated /etc/ssh/sshd_config file with "PermitRootLogin yes", you will also need to have your SC profile setup so that the root account is not configured as a role. Y
  ou can deliver the /etc/ssh/sshd_config file either in an IPS package or you could do it with a custom [first boot script|http://docs.oracle.com/cd/E26502_01/html/E28980/firstboot-1.html#scrolltoc] or use a software_type of archive in your AI manifest to deliver it via cpio/tar.

• Enable ftp root login on S11

  Hi ,
  I am testing ftp on a quite recent version of S11: S11u11 update1
  #Last login: Thu Mar 1 15:22:29 2012 from qlogic-47fezfvt
  Oracle Corporation SunOS 5.11 11.1 January 2012
  I am wondering why the ftp root login remains disabled, even after I removed "root" from /etc/ftpd/ftpusers and reboot?
  Mar 1 15:48:43 galilei proftpd[2294]: galilei (::ffff:172.27.1.112[::ffff:172.27.1.112]) - SECURITY VIOLATION: root login attempted.
  Any idea how to allow ftp root login?
  Tom

  Hi Tom,
  I haven't checked the docs for all the steps to enable ftp,
  but I see this output on my s11 system:
  # svcs -a | grep ftp
  disabled Feb_17 svc:/network/ftp:default
  disabled Feb_17 svc:/network/tftp/udp6:default
  Have you enabled the service?
  Thanks,
  Cindy

• Prevent root login LXDM

  Dear forum readers,
  I'm using LXDM as my display manager and I want to prevent root from logging in. In the config file /etc/lxdm/lxdm.conf I noticed that I can disable the user list and blacklist users. Sadly when blacklisting root, it really doesn't do anything.
  Anybody who can advice?
  Regards,
  Alex

  I've recently discovered that I can disable root login by changing the /etc/pam.d/lxdm file. Currently the PAM file for LXDM looks like this:
  auth requisite pam_nologin.so
  auth required pam_env.so
  auth required pam_unix.so
  account required pam_unix.so
  session required pam_limits.so
  session required pam_unix.so
  password required pam_unix.so
  I have no clue however how to do it properly. All the examples I found online were for GDM.

• Root login is blocked from telnet ssh pam_unix_session: Can't write lastlog: uid 0: I/O error

  Root login is blocked from telnet ,ssh  error : pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[1969]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[1970]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[1983]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[1984]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[2023]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[2021]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  genunix: vn_rdwr failed with error 0x6
  genunix: kobj_load_module: smp read header failed
  genunix: vn_rdwr failed with error 0x6
  genunix: kobj_load_module: ses read header failed
  sshd[2037]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  sshd[2035]: pam_unix_session: Can't write lastlog: uid 0: I/O error
  please suggest for the issue , occurs frequently in solaris 10

  please verify your underlying hardware

• Kde root login no longer present(Solved with set true kdmrc)

  How to enable root log-in in Kde log-in window.
  Window shows      Root
                        Password......
  Upon entry of password, error message says :
                             !root logins not allowed.
  What change is necessary to allow root log-in?

  Hi lilsirecho.
  I hope these comments will be helpful. I'm not quite certain what you're problem is with your root account.
  1. Give your root account a root password. Log in as root, and run:
  passwd root
  You can get to this console by pressing the tri-chord:
  Alt-Ctrl-Fn
  where Fn is F1 ... F7 (or whatever consoles you've set up in '/etc/inittab') and then logging in.
  2. You should be able to run KDE as root or as a regular user if you log into root or your regular user account. If you're starting from a console, you'll need to run 'startx', of course. You may need to stop the already running X instance: run 'init 3' as root. To restart X, run 'init 5' as root. This should take you to the KDE login.
  3. Once you have KDE up and running, go to the KDE Control Center->System Administrator->Login Manager. To change the login you'll need to have administrative ('root') privileges (that's why you'll need a root password). You'll see a button in the lower left corner of the Login Manager screen to give you 'Administrator Mode'.  You should see in the 'Users' tab a list of login users with options to hide and set icons in login screen. Make certain that 'root' is marked appropriately here.
  4. After you've done your KDE Control Center configuration for the KDE login, you should be able to log out and restart KDE with a root user as an option.
  Regards,
  Win

• Not able to change normal login password through ssh root login remotely

  I am able to login to serverb from servera as root user without password
  as i have set the ssh key authentication between the two servers
  ==============================================================
  bash-3.00# hostname
  servera
  bash-3.00# ssh serverb
  Sun Microsystems Inc. SunOS 5.9 Generic May 2002
  You have new mail.
  root@serverb # hostname
  serverb
  root@serverb #
  ==============================================================
  i am also able to execute remote commands from servera to serverb
  through ssh as root :
  ==============================================================
  bash-3.00# ssh serverb "hostname ; date ; uptime;id -a "
  serverb
  Friday December 11 16:52:10 GMT 2009
  4:52pm up 258 day(s), 2:24, 1 user, load average: 0.12, 0.07, 0.06
  uid=0(root) gid=1(other) groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon),1001(srsncadm
  bash-3.00#
  ==============================================================
  But when i try to change a normal users login password it give me the following
  error even as root user, can someone please let me know why it preventing
  from a normal login password change though ssh even for a superuser account
  =============================================================
  bash-3.00# ssh serverb passwd testuser
  Permission denied
  bash-3.00#

  You cannot "ssh passwd username" remotely, for one thing. Remember, the passwd command is going to ask for input from the terminal.
  Also, look into the pfexec man page because you might need to change roles in order to change the password on the remote system.

• Upgrade 10.4.11 to 10.5, admin and root login are toast

  I wasn't sure if I should post this under Installation and Setup or Account and Login, as it involves both.
  Short version: After upgrading my G5 tower from 10.4.11 to 10.5, all logging into admin or root accounts stops working, except for logging in automatically as admin on bootup.
  Long, overly wordy version:
  So, I have a MacBook Pro 15" 2.4GHz and a G5 2x2.0GHz tower, both running 10.4.11. I cloned my MBP drive, and did the upgrade to 10.5 in the normal fashion, and everything worked fine. After the install, I updated to 10.5.2 and the other recent stuff in Software Update, and everything is ok there.
  Next, my G5. I cloned my boot drive to an external for safety with CCC 3.0.1. I try the same update from 10.4.11 to 10.5 (PPC instead of Intel obviously, but it's the same install DVD) and it SEEMS to go ok. After the reboot I was up and running with 10.5, logged in as the admin user. I only have 1 user on the G5, the admin user, and it's set to automatically log in. So, it wasn't until I tried to update from 10.5 to 10.5.2 that I discovered that I could not give admin access to the process, or any process. It gives no error message, but acts the same as it would with an incorrect password. I tried logging out, and logging into the same user account again, and it fails. It also seems to think about for quite a while before it rejects the attempt by doing that little horizontal shake thing. Also, normally it would just list my admin user for me to click on, but instead I have the field to type it in myself, like it's totally lost track of the user(s). However, if I do a full reboot, it seems to log in fine via the automatic login function. Oh, and the exact same stuff happens if I try to log in as root, no go. Things like Repair Permissions and disk repairing (via booting to the 10.5 DVD and using disk utility OR booting to and using my TechToolPro 4.6.1 DVD) do nothing, and no problems are found.
  Of course, I tried booting from the 10.5 DVD and resetting the password, and it DOES list the proper admin user's name while doing that. However, it doesn't help, logging in or doing anything requiring admin rights is still impossible, except for logging in via automatic login.
  I reeeeeally don't want to do an archive install, as reinstalling all my apps would be an absolute nightmare. (This is an audio recording station, Logic Pro, Final Cut, Reason, PeakPro, etc.)
  Any ideas? I restored the drive back to 10.4.11 from my backup after wiping it and reformatting (new partition and everything, everything except zero the drive), and did the whole process over again with the exact same results. Restored again, and that's where I am now. I guess I'll have to stick with 10.4.11 for a while longer until I figure this out.
  - JonYo

  Hello Jon:
  It is difficult to determine (read I do not have a clue) what happened. However, an archive and install does not require reinstalling all of your software:
  http://docs.info.apple.com/article.html?artnum=107120
  A&I retains your programs, files, and settings. I used A&I to upgrade one of my iMacs to OS X 10.5 (I also used the upgrade feature on the other one). A&I also creates a rather large folder called +"previous system"+ that may be deleted after things are running well (it is a sort of safety net that contains all of the programs, data, etc from the prior installation).
  Barry
  Message was edited by: Barry Hemphill

• A security question pertaining to disabling the root login. [SOLVED]

  I've recently been configuring sudo and came across the following piece of advice:
  https://wiki.archlinux.org/index.php/Su … root_login
  After making my normal user a full fledged sudoer I followed the advice in the link above.
  passwd -l root
  worked beautifully without problems in spite of the warnings.
  However on a hunch after going
  ls -l /etc/passwd
  I was dismayed to see that the permission of the file was 644 with owner root. Shouldn't the permission be 640? Otherwise why would a cracker try to guess who is a sudoer when you can look at /etc/passwd and see myname in the entries and go like "OK root's disabled this is the only other human user lemme see if I can crack this..."
  Like I would have changed the permission on etc/passwd to 640 but since I'm far from an expert I want to know if this is safe to do/are there any unintended consequences for doing so. Furthermore even if I can do that the cracker will then proceed to search for all users who are members of the wheel group. I don't know what command would do this but clearly there must be a way the OS keeps track of which group has which members. Even if it's possible to safely change the permission of etc/group to 640 or 600 I don't think it's a good idea cause the cracker will still attempt to find all members of the wheel group because wheel is universal to Linux.
  My next worry is /etc/shadow. The good news is the permission there is 600. However there may be other files which can give away my username to the cracker besides /etc/passwd and /etc/group. If so what are they. Can they be safetyed?
  All in all was disabling root a good idea. I still want my normal user to have sudo powers for convenience. But even so if I am right about /etc/passwd then following the advice there simply makes the job one step longer for el cracker muy malo. Can you guys clue me in as to whether or not /etc/passwd can be safetyed without consequence and what is going on with this whole thing.
  Last edited by hiushoz (2011-01-10 05:08:03)

  I don't think you'll be able to change the permissions without error.  If I'm not very much mistaken, several user-space programs (like xterms) read that to determine what your preferred shell is.
  But if I understand the permissions system correctly doesn't the third number dictate access for people that aren't the owner or part of the owners group?
  Yes, that's correct.  However, there's no mechanism for them to view the files. Users can't execute processes (including the shell and its commands) unless they've either logged into your computer or found an exploit somewhere. In the event that they've found the exploit, they're most likely already running in either kernel mode or as root, so your security has already been compromised.
  You're probably confused because of the oft-used terminology 'world readable'. In reality, that means any local user.
  Why would you allow a cracker to login in the first place?
  I think this about sums it up, though I would like to elaborate on what's really being said here. There are several ways to give a cracker access to your computer; the most obvious being granting them a user account and letting them sit at your keyboard.  When you run a script or binary written by someone else, it's very close to the same thing. The program you're running can do everything you can.
  Just as you wouldn't let someone you don't trust sit at your keyboard, you should only run scripts and binaries from users you trust, at least until you've gathered enough skill to scrutinize their contents. By installing the Arch distribution, it seems you already trust Arch and its repositories, so I wouldn't worry so much about those binaries.
  Otherwise why would a cracker try to guess who is a sudoer when you can look at /etc/passwd and see myname in the entries and go like "OK root's disabled this is the only other human user lemme see if I can crack this..."
  This is silly, for a number of reasons:
  1) As above, the user would need to already be logged in as a local user.
  2) There are dozens of other places where you can find lists of local users. Even if you were to change the permissions there, a cracker could easily find a list of probable human users by:
      -Listing the contents of /home/.
      -Reading the file /etc/group; this if anything is even more dangerous, as it hints at which users have administrative rights.
  3) You're trying for security through obscurity. Instead of hiding the usernames, you should attempt to remove any vulnerabilities that would make knowing a username useful.
  Perhaps you'd be better off preventing a brute force attack by monitoring /var/log/auth.log, perhaps with something like Fail2Ban?
  Last edited by ktemkin (2011-01-10 02:23:38)

• Connecting to an XServer as root login

  Is there a way to login to an Xserver from an OSX workstation as root? Is there a setting on the XServer to let root connect to the Xserver from another computer.
  Thanks in advance.

  It should be no problem.
  I can't remember if you first need to enable the root user in NetInfo Manager when running OS X Server. Perhaps you want to check that on the XServe first. (NetInfo Manager -> Security -> Enable Root User)
  Otherwise, you should be able to log in as root from any other machine.

• Disable SSH root login in RAC system

  Hi Alll,
  We have a oracle 11.2.7 RAC in Linux. As statement, SA will disable ssh root log and Nagios will monitor each nodes in RAC system.
  As I know, Nagios only apply DH key for SSH. But Oracle RAC apply two type of SSH key for ssh_equivelancy in Oracle CRS.
  Dees any experts have experience for oracle RAC and database when disable root SSH log in Linux system?
  Thanks very much!
  JIn

  Security is not based on the number of keys one needs - but on the quality of the locks.Partially agree. But just like in real world one lock is not enough even superb. Why cars have imobilisers, defendlocks etc.? Why there is fence in front of some shop's door? It's very common to have two locks on front door. It's much harder (at least it takes much time) to break two locks than break just one. And the time matters. Back to IT security. Disabled root account is one of best practices and is reasonable because you can't 100% assure that your administrator is using strong password everytime. He might just forgot to change password after installation. He might set weak password just for "temporary" reason. You can of course force the password complexity but of course one you have the system installed.
  So can passwords. Deep packet inspection can occur unknowingly. Perhaps we still talking about SSH, don't we?
  The user may be targeted using social engineering, instead of targeting the actual computer system.It's much harder to get two passwords than just one even by using social engineering.
  The question is whether such a server is exposed to an unsecured or public network. And one would manage the risks differently on such a server than one for example in a private network, protected by a reverse proxy in the DMZ, that in turn provides access from a public network.OK, so we've got another locks here ;-)
  So if that user is compromised, so can root as that user can gain root access. I do not see this as better security. It is merely obfuscating security.Which user acccount? Do you know name of that account? Because I know the name of your's. ;-) So you need to find correct account name, get password for that account and also get the password for root account whilst I need to get password for root account only.
  Yes, partially agree with "obfuscation security" term. But in fact this is not for first time when obfuscation is used in security and neither for last time.
  But you can't consider "PermitRootLogin no" and "wheel" group as an obfuscation.
  Using encryption keys (public & private) is one answer to having to share and keep secrets. No, this is also not 100% safe, but I prefer it over having to know, remember and on occasion, share secrets (passwords).How well is your local machine secured? Are you using strong password? Do have all accounts strong password on your local machine? Is your local machine up to date for known sec. bugs (I don't mean zero days)? Is your local machine in separated VLAN or anybody from LAN can access your machine? Because if there are at least two "No" answers then how much time it will take for some skilled part-time worker (in your company) to break into your computer, steal the keys or even worse use your local machine to access the server?
  Don't get me wrong. I am not against encryption keys. Of course I am using it but in combination with other security restrictions which come from "best practices". And to disable direct root access is one of those practices. Even NSA (and other security institutions) suggest to do that (see page #37): www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf Also security auditors check for disabled direct access to privileged accounts.
  I understand this as good enough proof that disabling of direct access to privileged accounts rises security.
  Another good reason is right here:
  Install
  In other words, if any user has possibility to login as root, he uses "root" as default account which is another well known bad practice.

• ARD root login crashes remote machine

  I have an xserve running 10.4.7 and ARD 3.1
  We had a system power down during operation. (dont ask)
  Then after the machine had came back up, trying to ARD onto machine and login as "admin" would enter OK.
  However when logging in as "root" completely crashes the system, I can ping it but nothing else.
  The local console shows just light blue screen with spinning wheel. The system has to be power cycled to get it back up.
  I could not see from the logs what was causing this.
  So as the machine is only running a database and is bound/connected to a windows2003 AD server. I rebuilt clean new boot disks with 10.4.8, again with ARD 3.1. and moved the database back.
  However, I still have the problem where the system will completely crash when logging in as "root" user on an ARD session.
  Has anyone seen this or can point me at some info to diagnose the problem.

  You might try deleting the /Library/Preferences/com.apple.ARDAgent.plist file and the items in /Library/Application Support/Apple/Remote Desktop.

• Lion can not connect to smb if use root login

  I found if use root account login lion, that can't connect to smb but use other account ok.who can help me take a look?

  This might help.  I have a Seagate Dockstar (Pogoplug w/samba) with attached drives connected to my network that was easily discoverable with Bonjour in Snow.
  From my experience -
  I got the SMB share working (sort of) in Lion 10.7
  While the network hub and connected drive(s) won't automatically appear as a Connected Server, or Bonjour Computer I was able to find the Dockstar by going to -
  Go/Connect to Server and then enter it's specific info -  smb://fabx2d09fe (my device's actual number was different than this).
  The dialog pops up for name and password - or connect as Guest.  I couldn't remember if I had set these so tried Guest and was able to access/mount the drive on the desktop and sucessfully read/write to/from it.
  I may have to always connect to recent servers to get the thing to mount so it's not as automatic as Bonjour in the sidebar - but it does work!
  This mostly solved the issue for my needs....maybe it would work for yours?