|Lesson 9|| Controlling root login access|
|Objective||Controlling the Root Login Process|
Controlling Root Login Access
root login is very powerful since several keystrokes can cause major problems. For example,
rm *.* will delete
everything in the directory in which the command is executed. For this reason, access to the
root login should be limited to a
small number of system administrators, and should also be limited to where it can be used. Although it may be convenient to remotely
root, it is an easy way for a cracker to break in.
Why root remote login is bad
root login presents an immediate line of attack on your machine.
There is no need for the cracker to gain access as another user. Since remote
root login allows administrators to easily log in as
root over the network, there is the real danger that a cracker might steal the password via dictionary attacks applied directly to the
Allowing root login
You will need to make configuration changes to allow
root logins only where absolutely necessary.
/etc/securetty lists those areas from which the root user may log in:
Recommendation for the
Direct virtual consoles (<Alt-><F1>)
Leave available for problem solving
Serial consoles used by
Should not be available
Should not be available, otherwise root
Note, however, that even if you disallow
root login from network connections, administrators who log in from the network will still be able to use the
su (superuser) command to log in as root, potentially revealing the
root password if a secure connection is not used.
However, if you use
OpenSSH, you can safely administer your machine remotely.
The following MouseOver shows you the contents of a typical
The next lesson explains the use of the