jay@hqda-ai.ARPA (Jay Hiser) (07/15/88)
As delivered by CCI and used by my predecessors for years, my hosts allow root to login directly. Politics prevent me from limiting access to the root password as much as I'd like, but I can get away with making them use su only (they probably don't even know about the su.log :) ). Unfortunately, I don't have access to the source for login. My sys uses System V Rev 2 (CCI 2.22)). Root currently uses sh, since I'm the only one who knows csh (no ksh yet). While I'm on the subject of security, I'm also interested in monitoring login attempts -- especially attempts through the dial-in modem. getty doesn't offer much help for a dial-in, but its what I've got. Thank you for your suggestions,
davidsen@steinmetz.ge.com (William E. Davidsen Jr) (07/15/88)
In article <7285@hqda-ai.ARPA> jay@hqda-ai.ARPA (Jay Hiser) writes: | | As delivered by CCI and used by my predecessors for years, my hosts | allow root to login directly. Politics prevent me from limiting | access to the root password as much as I'd like, but I can get away | with making them use su only (they probably don't even know about the | su.log :) ). Unfortunately, I don't have access to the source for | login. My sys uses System V Rev 2 (CCI 2.22)). Root currently uses | sh, since I'm the only one who knows csh (no ksh yet). Suggestion; use this complex prigram as the login shell for root: #include <stdio.h> main() { fprintf(stderr, "Use your login and 'su' to root\n") sleep(2); exit(1); } This will keep anyone from using the root login, and thereby force them to do "su" into it. Some systems will use the login shell even when doing "su root" rather than "su - root", but most of these have the logname() call to allow checking on the original username. You caould also check wtmp if you need to get fancy. -- bill davidsen (wedu@ge-crd.arpa) {uunet | philabs | seismo}!steinmetz!crdos1!davidsen "Stupidity, like virtue, is its own reward" -me