Remote Root Logins and the Wheel Group

Disable remote root logins:

On Linux, /etc/securetty controls this, pty's are remote so take them out of the file.

In Solaris and most System V's the file is /etc/default/login, define a console device there to restrict root to the console.

CONSOLE=/dev/console

For Openssh, sshd_config should have a line that reads:

PermitRootLogin no

Enable the Wheel Group, this decides who can use the su command to elevate to root.

In the /etc/pam.d/su file:

auth required /lib/security/pam_wheel.so group=wheel debug

Users added to the group named wheel are the only ones who can su to root.

See page 88, Practicle UNIX and Internet Security for a fun story.

Contents