Saturday, April 11, 2009

Root Login Not Possible

Few wrong settings that can prevent the 'Root' user to login to the linux box are
1) The Shell
Check for the login shell that the system is offering to the 'Root' user.
Steps for checking this
i) Log in to the system in a single user mode.Help
ii) Check for login shell under the /etc/passwd using following
# grep root /etc/passwd
in the results look for the line starting with 'root' check for the last entry considering ':' as a delimiter.
iii) If the entry is '/sbin/nologin' that means the root user is not being provided a shell that enables a user to login to the system and perform tasks.We need to change this shell to /bin/bash so that user is allowed to login.
iv) To change this we need to fire a single command.
# usermod -s /bin/bash root
this command will change the shell for the root user to /bin/bash as desired.
v) The new shell can be cross checked by running the command used previously in step ii.
# grep root /etc/passwd
this time the last entry should be /bin/bash.

2) Permissions of /etc/securetty file
For the root user to login to the machine the file /etc/securetty should be having follwing either 600 or 644 set as the permissions.So first we need to check the present permissions of the file.This is as sinple a viewing the listing of files.
# ls -l /etc/securetty
the first column of the listing should be somewhat similar to -rw------- which means the value is set to 600.
In case if this value is not one of 600 or 644 then we need to change that by using ollowing commmand.
# chmod 600 /etc/securetty
Cross check can be done to see if the file permissions have been modified by again viewing the permissions as above.

3) No terminal entry in /etc/securetty should be commented.
Open the file /etc/securetty using vi editor.Check to insure that no line in there is commented.If there is any uncomment it ,save the file and exit.
For editing the contents of the file working with vi editor should be known.
PS :A very good post at The linux Documentation Project explains the use of VI .

4)Check for account details.
The next check to be done is for the account details for the root user.Over-here first of all we will check for the present account details of the user.
# chage -l root
The command will list account information about the root user.Check for the dates and insure that there should be none offending.the default and good settings are
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

if we take as an example that Account expires have a value of date earlier to today, it's very much clear that the account is no longer existing.But since the root user account should not be expred we need to change the value of this paramter to its default value of never.

0 comments:

Post a Comment