Hello,

Before I can login Solaris 10 via PuTTY with root user, but after run
aset or some other commands that I can not remember, I can not login
Solaris from PuTTY with now.

But I can login with other users belongs to root group, after login, I
also can su - root. But can not login with root. How to solve it?

I have tried kill -9 the aset process, and the /etc/default/login
already commented out the line: #CONSOLE=/dev/console

Sincerely,

lovecreatesbeauty

None wrote:
> Hello,
>
> Before I can login Solaris 10 via PuTTY with root user, but after run
> aset or some other commands that I can not remember, I can not login
> Solaris from PuTTY with now.
>
> But I can login with other users belongs to root group, after login, I
> also can su - root. But can not login with root. How to solve it?
>
> I have tried kill -9 the aset process, and the /etc/default/login
> already commented out the line: #CONSOLE=/dev/console

the /etc/ssh/sshd.config  file  prohibits  root login in its default
configuration.

read the  manpage.

$ man sshd
$ man sshd_config

None wrote:
>
>
> I have tried kill -9 the aset process, and the /etc/default/login
> already commented out the line: #CONSOLE=/dev/console
that is not for ssh and is a very very bad idea to do that.
>
in /etc/ssh/sshd_config
cahnge PermitRootLogin no
to PermitRootLogin yes and restart sshd with "svcadm restart ssh"

> But I can login with other users belongs to root group, after login, I also
> can su - root. But can not login with root. How to solve it?

This is not something you 'solve' since this is the right behaviour, changing
it will only break things.

Directly allowing root to logon is a VERY bad idea.

-- 
Groetjes, Peter

..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

On Sat, 11 Feb 2006, None wrote:

> But I can login with other users belongs to root group, after login, I
> also can su - root. But can not login with root. How to solve it?

The problem is already solved: don't log in remotely as root.  Log in as
yourself and then become root.

-- 
Rich Teer, SCNA, SCSA, OpenSolaris CAB member

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

Rich Teer =E5=86=99=E9=81=93=EF=BC=9A

> On Sat, 11 Feb 2006, None wrote:
>
> The problem is already solved: don't log in remotely as root.  Log in as
> yourself and then become root.
>

In fact, I really was allowed to login as a root user remotly via
PuTTY, but can not do that now, and even I can not "login" as root in
Solaris itself, I mean, after open a terminal with mouse, I can not run
the "login root" command, only can "su - root".

Currently I get a task of building a mail system, and I don't want to
swith to root frequently.

I have another question, I can only make settings in the systemwide
/etc/profile, is there a personal profile existing in Solaris? I know
that the HP-UX has that .profile.

Sincerely,

lovecreatesbeauty

In article <1139717394.934429.12660@z14g2000cwz.googlegroups.com>,
None <lovecreatesbeauty@gmail.com> wrote:
>
>I have another question, I can only make settings in the systemwide
>/etc/profile, is there a personal profile existing in Solaris? I know
>that the HP-UX has that .profile.

as you describe, it's .profile in the users homedirectory
it is / for root 

 
-- 
best regards from vienna           
hans                              

On Sat, 11 Feb 2006, None wrote:

> In fact, I really was allowed to login as a root user remotly via
> PuTTY, but can not do that now, and even I can not "login" as root in
> Solaris itself, I mean, after open a terminal with mouse, I can not run
> the "login root" command, only can "su - root".

That's normal.

> Currently I get a task of building a mail system, and I don't want to
> swith to root frequently.

With all due respect, judging by the nature of wyour questions here,
I think the best thing for you to do would be to hire someone else
to set up your server and/or teach you Solaris sysadmin.

> I have another question, I can only make settings in the systemwide
> /etc/profile, is there a personal profile existing in Solaris? I know
> that the HP-UX has that .profile.

WHat makes you think that Solaris is any different in this respect?
It is the shell that determins the name of the profile file, not the
OS.

-- 
Rich Teer, SCNA, SCSA, OpenSolaris CAB member

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

None wrote:
>
> Currently I get a task of building a mail system, and I don't want to
> swith to root frequently.
>
Unless this is in the basment of your house and for personal use, I
would not recommend it. Building a *functional* mail server is not a
easy.
>
Vahid

Vahid  Moghaddasi wrote:
> in /etc/ssh/sshd_config
> cahnge PermitRootLogin no
> to PermitRootLogin yes and restart sshd with "svcadm restart ssh"

I have changed that line as PermitRootLogin yes, and execute svcadm
restart ssh, but it can not solve the problem.

Rich Teer wrote:
> On Sat, 11 Feb 2006, None wrote:
>
> > In fact, I really was allowed to login as a root user remotly via
> > PuTTY, but can not do that now, and even I can not "login" as root in
> > Solaris itself, I mean, after open a terminal with mouse, I can not run
> > the "login root" command, only can "su - root".
>
> That's normal.

Do you think root should be forbidden to login remotly in Unix(es)?
That is not normal, I can do that before, so I want to go back to the
last settings. Can you help this problem?

> With all due respect, judging by the nature of wyour questions here,
> I think the best thing for you to do would be to hire someone else
> to set up your server and/or teach you Solaris sysadmin.

Is Unix administration/programming so hard a work?

> WHat makes you think that Solaris is any different in this respect?
> It is the shell that determins the name of the profile file, not the
> OS.

You're right on this point.
I use ksh on HP-UX and can find two .profile, but can only find
/etc/profile (without dot) on Solaris though I enable ksh in
/etc/passwd.

None wrote:
>
> I have changed that line as PermitRootLogin yes, and execute svcadm
> restart ssh, but it can not solve the problem.
I am not sure what exactly are you doing because the above *will* work.
are you doing 'ssh root@server' and then what do you see? 
Vahid

On Sun, 12 Feb 2006 18:12:05 -0800, None wrote:
> Rich Teer wrote:

> Do you think root should be forbidden to login remotly in Unix(es)?

Irrespective of what anyone thinks, permitting remote root access is
absurdly stupid.  There has been an SSH worm propagating on the Internet
for the past year which precisely targets installations such as you want.

> That is not normal, I can do that before, so I want to go back to the
> last settings. Can you help this problem?

Looking at the crystal ball I foresee your article posted here within the
next few months asking how to remove a rootkit.

>> With all due respect, judging by the nature of wyour questions here,
>> I think the best thing for you to do would be to hire someone else
>> to set up your server and/or teach you Solaris sysadmin.
> 
> Is Unix administration/programming so hard a work?

Not at all unless you try to run a UNIX system as you would a Windows box.

>> WHat makes you think that Solaris is any different in this respect?
>> It is the shell that determins the name of the profile file, not the
>> OS.
> 
> You're right on this point.
> I use ksh on HP-UX and can find two .profile, but can only find
> /etc/profile (without dot) on Solaris though I enable ksh in
> /etc/passwd.

Solaris does not have ~/.profile files by default.  *You* create your own.
Since you elected to use ksh perhaps you would benefit by actually reading
the ksh man page.

Vahid  Moghaddasi wrote:
> I am not sure what exactly are you doing because the above *will* work.
> are you doing 'ssh root@server' and then what do you see?
> Vahid

Thank you. Yes, I change PermitRootLogin to yes, then run the two
commands svcadm restart ssh, ssh root@joe, the result (sorry, but a
little long) shows as below, and I also can not login root via putty.

:q
# svcadm restart ssh
# ssh root@joe
The authenticity of host 'joe (192.168.1.68)'can't be established.
RSA key fingerprintis 4e:01:62:8d:7e:f7:e0:a0:e5:c9:26:a1:2f:4d:ca:8d.
Are you sure you want to continue connecting (yes/no)? n
Please type 'yes' or 'no': no
Host key verification failed.
#
# ssh root@joe
The authenticity of host 'joe (192.168.1.68)'can't be established.
RSA key fingerprintis 4e:01:62:8d:7e:f7:e0:a0:e5:c9:26:a1:2f:4d:ca:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'joe,192.168.1.68' (RSA) to the list of
known hosts.
Password:
Last login: Mon Feb 13 12:04:49 2006
Sun Microsystems Inc.   SunOS 5.10      s10_69  December 2004
You have new mail.
#
# ssh root@joe
Password:
Last login: Mon Feb 13 12:49:48 2006 from joe
Sun Microsystems Inc.   SunOS 5.10      s10_69  December 2004
You have new mail.
# ssh root@joe
Password:
Last login: Mon Feb 13 12:50:34 2006 from joe
Sun Microsystems Inc.   SunOS 5.10      s10_69  December 2004
You have new mail.
# man ssh

Dave Uhring wrote:
> Solaris does not have ~/.profile files by default.  *You* create your own.
> Since you elected to use ksh perhaps you would benefit by actually reading
> the ksh man page.

Yes, after read the comment at the line 3 in /etc/profile, I copy and
edit it to create ~user/.profile (with a dot) for each user, it works.
Thank you.

It's very bad to view man page in Solaris 10, it seams the page up and
page down are not supported very well. In HP-UX, the ^F(or F) and ^B(or
B) work pretty well.

On Sun, 12 Feb 2006 21:14:32 -0800, None wrote:

> It's very bad to view man page in Solaris 10, it seams the page up and
> page down are not supported very well. In HP-UX, the ^F(or F) and ^B(or
> B) work pretty well.

echo "export PAGER=less" >> ~/.profile

Then the keys "j" and "k" will scroll one line at a time.
Ctrl-F or Space will scroll one page upward and Ctrl-B will scroll back
one page.

If you refuse to use the man pages you will *never* learn how to use or
admin a UNIX system.

Dave Uhring wrote:
> echo "export PAGER=less" >> ~/.profile
>
> Then the keys "j" and "k" will scroll one line at a time.
> Ctrl-F or Space will scroll one page upward and Ctrl-B will scroll back
> one page.
>
> If you refuse to use the man pages you will *never* learn how to use or
> admin a UNIX system.

Thank you, Dave. Your tips is great. Now I can read man page in Solaris
conveniently also. I still remember the first time I opened the man
page for help on one command on HP-UX 11, but I didn't know how read
the rest of the help information. Some days later, I knew something on
vi, one day I tried vi commands in man help system, and it worked :- )

Dave Uhring wrote:
> echo "export PAGER=less" >> ~/.profile
>
> Then the keys "j" and "k" will scroll one line at a time.
> Ctrl-F or Space will scroll one page upward and Ctrl-B will scroll back
> one page.

Thank you Dave, your tips is great. Now I can read man page
conveniently.

I still remember the first time I opened a man page for help on a
command, I didn't know how to read the rest of the help information.
Later, I knew more things on vi, one time I tried vi commands in man
help system, then it worked. :- )

Dave Uhring wrote:
> echo "export PAGER=less" >> ~/.profile
>
> Then the keys "j" and "k" will scroll one line at a time.
> Ctrl-F or Space will scroll one page upward and Ctrl-B will scroll back
> one page.
>
> If you refuse to use the man pages you will *never* learn how to use or
> admin a UNIX system.

I even can search text more conveniently in Solaris than in HP-UX after
use your tips, I read ksh man page again.

In HP-UX, it's very hard to search text, do you have the solution?

None wrote:
> Dave Uhring wrote:
>> echo "export PAGER=less" >> ~/.profile
>>
>> Then the keys "j" and "k" will scroll one line at a time.
>> Ctrl-F or Space will scroll one page upward and Ctrl-B will scroll back
>> one page.

For the record, setting PAGER=less fixed this only because (presumably) 
the OP had previously set PAGER to something broken. The bundled "more" 
program on Solaris (and any POSIX-conformant system) is perfectly 
capable of handling all the keys mentioned. On my Solaris 9 box I have 
no PAGER set at all and all these things work fine.

Going a little off topic, there's a lingering tendency to believe that 
"less" is more powerful than "more", because at one time that was true. 
However, 10 or 15 years ago, while POSIX.2 was being drafted, the 
members scrounged up some money and hired the author of less to make a 
POSIX compliant version of it. So nowadays /usr/bin/more on Solaris is 
just a standards-conformant version of less. On Linux it may just be a 
link to less for all I know.

-HT

It is Much less work to log in as yourself and su to root than it is to
REBUILD the system due to an attack because you allowed remote root
logins.

Henry Townsend wrote:
> [...]
> 
> Going a little off topic, there's a lingering tendency to believe that 
> "less" is more powerful than "more", because at one time that was true. 
> [...]

less is still having some useful features missing from more, like rev
video for the searched pattern, or enabling backward search.

Henry Townsend wrote:
> For the record, setting PAGER=less fixed this only because (presumably)
> the OP had previously set PAGER to something broken. The bundled "more"
> program on Solaris (and any POSIX-conformant system) is perfectly
> capable of handling all the keys mentioned. On my Solaris 9 box I have
> no PAGER set at all and all these things work fine.

I just didn't change the PAGER setting. Perhaps it's just the default
value of Solaris 10 experimental.


Dave wrote:
> It is Much less work to log in as yourself and su to root than it is to
> REBUILD the system due to an attack because you allowed remote root
> logins.

I understand this kind of kind suggestion. Now the machine is only
located in LAN, and very safe, just like me sitting here and listening
a Romero's guitar quartet. I just want to change it back. Before I can
login with root remotely. Could you please tell me how to go back to it
again?

what does your -
/etc/hosts.allow file contain.

Change it to include.......
sshd:          LOCAL
sshd:          ALL
sendmail: LOCAL



vxdiskadm

None wrote:
> Thank you. Yes, I change PermitRootLogin to yes, then run the two
> commands svcadm restart ssh, ssh root@joe, the result (sorry, but a
> little long) shows as below, and I also can not login root via putty.
>
> Please type 'yes' or 'no': no
this is a key exchange, just say "y" for yes. REMEBER to put
PermitRootLogin  back to no when you are done.
you may want to do "man sshd_config" and "man ssh_config"
Vahid.