>We are trying to set up the Enhanced Security option in a BSD Ultrix >System 4.3a. >Everything goes well, but now we can only su from console. Is there any >workaround for this ?. The system administration tasks aren't carried > I tried this way ago and discovered that the only way was to make ttys secure. The problem then is that ttys are assigned by login order, meaning that the first logins should be those of system administrators. Too bad. (Well, there are other ways, but I wouldn't even seriously mention them). What I'd suggest is a replacement for 'su' if you must necessarily do it. I tried this approach later on a "secure" environment OSF/1 and it worked, so I assume it should also work on Ultrix (couldn't test it there). I did it for a test, and forgot about the subject. I don't like the idea anyway of anybody being able to suid root from any network terminal. If you must do it, I'd advise you at least try to make it as difficult to subvert as possible. And at least safer that the "SECURE" environment you are installing (otherwise it would be senseless). That could mean: get a replacement for 'su' and 'passwd' (you can give'em other names) for sysadmins. Ensure these use a separate password file with shadow passwords in a hidden, root-readable only, directory, that they require 'good' passwords, check against dictionaries, enforce bigger password lengths and allow for 8+ length passwords, log every use and can only be run by your sysadmins. The point is that there is no single root password, but rather that each potential sysadmin can have his/her own one, so you don't have a shared secret and they can change their root password often enough to avoid "guessing" attacks without the load of having to spread a single password among many people. In addition I would also install SSLeay (since you're in Spain) and ssh and require that all remote logins by potential sysadmins be done via them, to avoid password sniffing of their normal user and root passwords. Forcing them to use a restricted shell could be useful too. And all other tricks you can add. 'root' is the most sensible door to your system in the network. Note: many of the ideas above originally came from R.J.White, a colleague who thought of them before and built a similar system. Note2: since you're in Spain too, maybe I can help you more directly. Just drop me a note. jr -- Jose R. Valverde EMBnet/CNB