Another option is putting random characters in root's password hash in /etc/shadow. This would mean that no one should be able log in directly as root remotely or at the console. You could then use sudo (rather than su) to allow users to have root privileges.
Good luck, Scott 2009/6/17 Zavodsky, Daniel (GE Money) <[email protected]> > Hello, > Have a look at /etc/security/access.conf - it is a very good way to > allow/disallow logins from the console or remote hosts. Just make sure you > are using the pam_access module in the configuration for your services in > /etc/pam.d: login, ssh, gdm or whatever methods are used to gain access to > the systém. > > Regards, > Daniel > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Sharpe, Sam J > Sent: Wednesday, June 17, 2009 9:44 AM > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > Subject: Re: [rhelv5-list] Italian normative for administrative access > > 2009/6/17 Viggiani Domenico <[email protected]>: > > solarflow99 wrote: > >>> Domenico Viggiani wrote: > >>> - how can I manage administrative accesses by console > >>> (both real >consoles and remote consoles: iLO, > >>> VMware virtual consoles, etc)? > >> > >> i'm not sure I really understand that part > > At some point in time, everyone will need to access a machine by console. > > Direct, anonymous "root" access is allowed by default on console and I > > think that disabling it is not a viable solution (or am I wrong?). In > > any case, datacenters are usually phisically secured and staff access > > is identified by personal badge. > > But a problem still remains: consoles that can be accessed by network > > (VMware machines, iLO/DRAC ports for HP/Dell servers, etc). > > Is there a way to make console access compliant too? > > iLO can be connected to Active Directory so that you can login to iLO (and > log logins) with personal accounts - but what account you use to get into > the server from iLO does not have to be your iLO login. > > DRAC/VMware I don't know about. > > -- > Sam > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list >
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
