> Vince, can you have multiple root ids and passwords? Carlos :-) If you're asking whether you can have multiple user IDs with UID=0, then the answer is yes. UID/GID, shell program and home directory all come from the PAM server (ACF2, Top Secret, etc.), and there's no reason you couldn't have multiple UID 0 IDs if you wanted to.
The nice thing about our PAM implementation is that you have a lot of flexibility when it comes to restricting which Linux images (or facilities within a Linux system) a given user can access. You might set it up so that users get root privileges, but only on a particular Linux image. Or, perhaps you'd let them use Telnet but not FTP. Because the authentication is processed by ACF2/Top Secret, all of the normal system entry controls are extended and apply to Linux as well. For example, an earlier post asked about auditing, and with our PAM plug-in, you will most definitely see a complete audit trail of Linux sign-on activity in your z/OS SMF records. Having said that, multiple UID 0 users might or might not be a good thing on Linux because there would be no way to segregate their permissions (that is, once logged on, any root user would have access to all resources). Keep in mind that PAM is just for user authentication - if you want true access control then you need something more. This is where our eTrust Access Control product fits in: it's essentially z/OS-style resource protection for Linux, and it provides the kind of granular resource protection (including controlling what root users may do), auditing, etc. that mainframe sites would be accustomed to. Vince Re Computer Associates
