Re: root password and su (maybe)
From: Gordon Messmer (yinyang_at_eburg.com)
Date: 09/11/03
- Previous message: Benjamin J. Weiss: "Re: Should we stay with M$"
- In reply to: Kelerion: "Re: root password and su (maybe)"
- Next in thread: Sean Estabrooks: "Re: root password and su (maybe)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: redhat-list@redhat.com Date: Thu, 11 Sep 2003 12:23:30 -0700
Kelerion wrote:
> small world.. you must know my boss.. a) describes him perfectly!! :)
>
> whats even more ironic.. is when I approached him about this.. he said
> "but changing the password on a regular basis sounds like a good idea
> for security.."
My suggestion to appease your "security minded" boss:
Configure SSH to allow only key-authenticated logins. Once you've done
so, the root password is useless for anything except logins at the
physical console (at least, that's so unless you've done something else
to weaken security) and "su". You can also change "su"s pam
configuration if you don't trust users who have ssh access, and don't
want the root password to work with that command either (there's an
example in the default file that will restrict access to users in the
"wheel" group, like most other Unix systems)
With the root password only useful at the physical console, your weak
point becomes the physical access to the box, and you can mostly
disregard your root password as a security concern. (Be absolutely
certain that all of your pam configurations prevent root logins, except
for the "login" program)
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Benjamin J. Weiss: "Re: Should we stay with M$"
- In reply to: Kelerion: "Re: root password and su (maybe)"
- Next in thread: Sean Estabrooks: "Re: root password and su (maybe)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
