Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
41424344454647484950
Administrative Controls
31
Important
Programs that do not require access to the shell, such as email clients or the sudo command,
can still access the root account.
2.1.4.2.2. Disabling Root Logins
To further limit access to the root account, administrators can disable root logins at the console by
editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the
file does not exist at all, the root user can log in through any communication device on the system,
whether via the console or a raw network interface. This is dangerous, because a user can log in to
his machine as root via Telnet, which transmits the password in plain text over the network. By default,
Red Hat Enterprise Linux's /etc/securetty file only allows the root user to log in at the console
physically attached to the machine. To prevent root from logging in, remove the contents of this file by
typing the following command:
echo > /etc/securetty
Warning
A blank /etc/securetty file does not prevent the root user from logging in remotely using the
OpenSSH suite of tools because the console is not opened until after authentication.
2.1.4.2.3. Disabling Root SSH Logins
Root logins via the SSH protocol are disabled by default in Red Hat Enterprise Linux 6; however, if this
option has been enabled, it can be disabled again by editing the SSH daemon's configuration file (/
etc/ssh/sshd_config). Change the line that reads:
PermitRootLogin yes
to read as follows:
PermitRootLogin no
For these changes to take effect, the SSH daemon must be restarted. This can be done via the
following command:
kill -HUP `cat /var/run/sshd.pid`
2.1.4.2.4. Disabling Root Using PAM
PAM, through the /lib/security/pam_listfile.so module, allows great flexibility in denying
specific accounts. The administrator can use this module to reference a list of users who are not
allowed to log in. Below is an example of how the module is used for the vsftpd FTP server in the /
etc/pam.d/vsftpd PAM configuration file (the \ character at the end of the first line in the following
example is not necessary if the directive is on one line):
auth required /lib/security/pam_listfile.so item=user \