User guide
Chapter 2. Securing Your Network
30
Method Description Effects Does Not Affect
· kdm
· xdm
· su
· ssh
· scp
· sftp
· FTP clients
· Email clients
Disabling
root
access
via any
console
device
(tty).
An empty /etc/
securetty file prevents
root login on any devices
attached to the computer.
Prevents access to the root
account via the console or
the network. The following
programs are prevented
from accessing the root
account:
· login
· gdm
· kdm
· xdm
· Other network services
that open a tty
Programs that do not log
in as root, but perform
administrative tasks
through setuid or other
mechanisms.
The following programs
are not prevented from
accessing the root account:
· su
· sudo
· ssh
· scp
· sftp
Disabling
root SSH
logins.
Edit the /etc/ssh/
sshd_config file and set
the PermitRootLogin
parameter to no.
Prevents root access
via the OpenSSH suite
of tools. The following
programs are prevented
from accessing the root
account:
· ssh
· scp
· sftp
This only prevents root
access to the OpenSSH
suite of tools.
Use
PAM to
limit root
access to
services.
Edit the file for the
target service in
the /etc/pam.d/
directory. Make sure the
pam_listfile.so is
required for authentication.
1
Prevents root access to
network services that are
PAM aware.
The following services are
prevented from accessing
the root account:
· FTP clients
· Email clients
· login
· gdm
· kdm
· xdm
· ssh
· scp
· sftp
· Any PAM aware services
Programs and services that
are not PAM aware.
1
Refer to Section 2.1.4.2.4, “Disabling Root Using PAM” for details.
2.1.4.2.1. Disabling the Root Shell
To prevent users from logging in directly as root, the system administrator can set the root account's
shell to /sbin/nologin in the /etc/passwd file. This prevents access to the root account through
commands that require a shell, such as the su and the ssh commands.