Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual page 41

Chapter 4. Workstation Security
Method Description
Disabling An empty
root
/etc/securetty
access prevents root login on any
via any devices attached to the
console computer.
device
(tty).
Disabling Edit the
root SSH
/etc/ssh/sshd_config
logins. file and set the
PermitRootLogin
parameter to
Use PAM Edit the file for the target
to limit service in the
root
/etc/pam.d/
access to Make sure the
services.
pam_listfile.so
required for authentication.
Refer to Section 4.4.2.4
Disabling Root Using PAM
for details.
Table 4-1. Methods of Disabling the Root Account
4.4.2.1. Disabling the Root Shell
To prevent users from logging in directly as root, the system administrator can set the root account's
shell to
/sbin/nologin
commands that require a shell, such as the
Important
Programs that do not require access to the shell, such as email clients or the
still access the root account.
Effects
Prevents access to the root
file account via the console or
the network. The
following programs are
prevented from accessing
the root account:
login
gdm
kdm
xdm
Other network services
that open a tty
Prevents root access via
the OpenSSH suite of
tools. The following
programs are prevented
. from accessing the root
no
account:
ssh
scp
sftp
Prevents root access to
network services that are
directory. PAM aware.
The following services are
is prevented from accessing
the root account:
FTP clients
Email clients
login
gdm
kdm
xdm
ssh
scp
sftp
Any PAM aware services
in the
/etc/passwd
and the
su
file. This prevents access to the root account through
commands.
ssh
Does Not Affect
Programs that do not log
in as root, but perform
administrative tasks
through through setuid or
other mechanisms.
The following programs
are not prevented from
accessing the root
account:
su
sudo
ssh
scp
sftp
This only prevents root
access to the OpenSSH
suite of tools.
Programs and services that
are not PAM aware.
command, can
sudo
29