[wplug-bsd] Root logins and public keys
Poyner, Brandon
bpoyner at ccac.edu
Mon Dec 5 09:03:03 EST 2005
> > Also, is it dangerous to NOT have a root password?
Define what you mean by not having a root password. By my definition
that would be a password of '' in /etc/master.passwd:
root::0:0::0:0:Charlie &:/root:/bin/csh
That would be very dangerous. If you want to have a passwd field of '*'
or 'x' that wouldn't be dangerous by itself. You probably noticed the
user 'toor' which is the historical secondary root account, some people
choose to set a password for this user as a backup should they forget
the root password.
> Yes, very dangerous. Use sudo(8) instead. It's in Ports. You can
> permit users's in Wheel to run commands as root w/o having to enter
> their password; or, many other policies.
I agree with this, use sudo. Additionally it logs what commands people
have been using, and you can be very picky about what you wish to
delegate.
That said, I imagine you could pull something off with PAM. I don't
have any experience with FreeBSD 5.x's PAM but as I understand it it's
been greatly improved over 4.x. You could try turning this on its head:
http://www.trustix.org/wiki/index.php/Restrict_SSH_per_user
Deny PAM authentication to root but permit key authentication.
Brandon Poyner
Network Engineer III
CCAC - College Office
412-237-3086
More information about the wplug-bsd
mailing list