Solved /etc/login.access configuration

Hello,

I was messing with /etc/login.access to tighten login access to a machine I login to via ssh. This is what I did-

Code:
+:big_girl:ALL EXCEPT LOCAL
+:root:console
-:ALL:ALL

I can login OK over ssh as big_girl, but cannot su to root. Trying to su to root returns-

Code:
pam_login_access: pam_sm_acct_mgmt: root is not allowed to log in on [FILE]/dev/pts/0[/FILE]

How can I modify the +:root:console line so that I can su to root?

EDIT: I should clarify- I do not have physical access to this machine. For security, I do not want to let root log in directly via ssh but rather allow root login only from another user in wheel.

Thanks for any help.
 
First, I wonder why you deny yourself local login (if I understand that EXCEPT syntax correctly). If a problem occurs with a computer, I much prefer loging-in as a user and try to isolate and fix the problem, and only switch to root if there's no other way.

I'm not familiar with all the FreeBSD login security features, but a suggestion I could propose you is to enable remote root the same way you enable yourself (or perhaps restrict to some specific domain names), then block root login from ssh using the DenyUsers keyword in the /etc/ssh/sshd_config file. su will then work. I often switch to root this way via ssh!

Dominique.
 
It's simple really: if you log on remotely then your terminal is probably something in the likes of pts/0 or something similar, but not the console itself. And it seems you now allowed root to log on only from the console. As in: the physical machine itself.
 
First, undo all of your changes to /etc/login.access.

Next, open up /etc/ssh/sshd_config in your favorite text editor. Find the (commented out, by default) line that contains the " PermitRootLogin" directive.

It will read (by default) one of two ways (depending on FreeBSD version):

#PermitRootLogin no

or

#PermitRootLogin without-password

Uncomment it and set it to "no". That is, it should read:

PermitRootLogin no

Restart sshd.

Last, if there are only a few user accounts you wish to allow to login via SSH, I recommend adding them to a new group, and setting AllowGroups <group> (instead of DenyGroups or DenyUsers) in /etc/ssh/sshd_config.
 
Back
Top