If you wish to disable root login due to some security reasons or you wanna troubleshoot root login problem, here are some methods>>>>>
1.---------->
> Open the file /etc/passwd
> Append the line root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin
Root login is disabled now.
[It's self explainatory] Undo it for enabling.
2.----------->
> Change the rwx rights of file /etc/securetty to any value, other than 600(ie. rw-------). This file is tty login file.
Eg. chmod 644 /etc/securetty
Undo it by, chmod 600 /etc/securetty
3.----------->
> Open the file /etc/securetty
> Comment out the terminal using #, in which u wanna deny access to root.
Take a look at my /etc/securetty file
__________________________________________________
#tty1
tty2
tty3
#tty4
tty5
tty6
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
__________________________________________________
There are 6 cli terminals, which r marked as tty1,tty2 ........
You can enter those by pressing combination of Alt+Ctrl+f1, ie. for terminal 1, for terminal 2 replace f1 by f2 & so on for other terminals.
Press Alt+Ctrl+f7, for coming back to the gui.
After you comment out the terminal, u can't login to that terminal, it will display :login incorrect
(Undo by removing the hashes from file)
4.----------->
> Create a file in /etc directory by the name "nologin".
In this method, all users get blocked.
Eg. Execute command --> 'touch nologin' or 'cat nologin'
5.----------->
> Type the command --> 'chage -E 0 root'
This command just expires the root password....
Just try to observe the difference in the 1st line of file /etc/shadow, before & after the execution of the given command.
root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7:::
root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::0:
Ya, you are right, there is a extra zero at the end. That stands for the days left, for your password expiry.
Undo it by issuing the command --> 'chage -E NEVER root' or 'chage -E 99999 root'
Issuing the last command will replace the 1st line of /etc/shadow to....
root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::99999:
You can also do this by directly appending the file.
6------------->
Ok first, as root, you need to install sudo. Next, also as root, you need to edit the file /etc/sodoers. Add the following line --
replace username with the user you want to be able to access root permissions.
now to disable the root account --
as root type the following at the command prompt
the -l flag will lock the root account. No longer will root logins be possible on your box. It is simple to get them back, you just need to do the following --
-------------X------------
Ofcourse, there are some more ways for blocking root login. But I don't wanna risk my PC, trying those now.
These methods works fine in Redhat & Mandriva, so these should work on other Linux OSs.
For troubleshooting, these conditions should be checked for correct settings.
If you get trapped, using these methods, try login at runlevel 1 at grub-menu or use rescue CD, as I suggested in the thread
"Securing ROOT password!!"
*****************************Have A Nice Day
!!************************
1.---------->
> Open the file /etc/passwd
> Append the line root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin
Root login is disabled now.
[It's self explainatory] Undo it for enabling.
2.----------->
> Change the rwx rights of file /etc/securetty to any value, other than 600(ie. rw-------). This file is tty login file.
Eg. chmod 644 /etc/securetty
Undo it by, chmod 600 /etc/securetty
3.----------->
> Open the file /etc/securetty
> Comment out the terminal using #, in which u wanna deny access to root.
Take a look at my /etc/securetty file
__________________________________________________
#tty1
tty2
tty3
#tty4
tty5
tty6
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
__________________________________________________
There are 6 cli terminals, which r marked as tty1,tty2 ........
You can enter those by pressing combination of Alt+Ctrl+f1, ie. for terminal 1, for terminal 2 replace f1 by f2 & so on for other terminals.
Press Alt+Ctrl+f7, for coming back to the gui.
After you comment out the terminal, u can't login to that terminal, it will display :login incorrect
(Undo by removing the hashes from file)
4.----------->
> Create a file in /etc directory by the name "nologin".
In this method, all users get blocked.
Eg. Execute command --> 'touch nologin' or 'cat nologin'
5.----------->
> Type the command --> 'chage -E 0 root'
This command just expires the root password....
Just try to observe the difference in the 1st line of file /etc/shadow, before & after the execution of the given command.
root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7:::
root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::0:
Ya, you are right, there is a extra zero at the end. That stands for the days left, for your password expiry.
Undo it by issuing the command --> 'chage -E NEVER root' or 'chage -E 99999 root'
Issuing the last command will replace the 1st line of /etc/shadow to....
root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::99999:
You can also do this by directly appending the file.
6------------->
Ok first, as root, you need to install sudo. Next, also as root, you need to edit the file /etc/sodoers. Add the following line --
Code:
username ALL=(ALL) ALL
now to disable the root account --
as root type the following at the command prompt
Code:
passwd -l root
Code:
sudo passwd root yourpasswordhere
-------------X------------
Ofcourse, there are some more ways for blocking root login. But I don't wanna risk my PC, trying those now.
These methods works fine in Redhat & Mandriva, so these should work on other Linux OSs.
For troubleshooting, these conditions should be checked for correct settings.
If you get trapped, using these methods, try login at runlevel 1 at grub-menu or use rescue CD, as I suggested in the thread
"Securing ROOT password!!"
*****************************Have A Nice Day
!!************************ 
Posts
No comments:
Post a Comment