A better way to do this than inserting random characters is probably usermod -L user
Scott On Wed, Jun 17, 2009 at 8:20 AM, Scott Robertson <[email protected]>wrote: > Another option is putting random characters in root's password hash in > /etc/shadow. This would mean that no one should be able log in directly as > root remotely or at the console. You could then use sudo (rather than su) > to allow users to have root privileges. > > Good luck, > Scott > > 2009/6/17 Zavodsky, Daniel (GE Money) <[email protected]> > > Hello, >> Have a look at /etc/security/access.conf - it is a very good way to >> allow/disallow logins from the console or remote hosts. Just make sure you >> are using the pam_access module in the configuration for your services in >> /etc/pam.d: login, ssh, gdm or whatever methods are used to gain access to >> the systém. >> >> Regards, >> Daniel >> >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Sharpe, Sam J >> Sent: Wednesday, June 17, 2009 9:44 AM >> To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list >> Subject: Re: [rhelv5-list] Italian normative for administrative access >> >> 2009/6/17 Viggiani Domenico <[email protected]>: >> > solarflow99 wrote: >> >>> Domenico Viggiani wrote: >> >>> - how can I manage administrative accesses by console >> >>> (both real >consoles and remote consoles: iLO, >> >>> VMware virtual consoles, etc)? >> >> >> >> i'm not sure I really understand that part >> > At some point in time, everyone will need to access a machine by >> console. >> > Direct, anonymous "root" access is allowed by default on console and I >> > think that disabling it is not a viable solution (or am I wrong?). In >> > any case, datacenters are usually phisically secured and staff access >> > is identified by personal badge. >> > But a problem still remains: consoles that can be accessed by network >> > (VMware machines, iLO/DRAC ports for HP/Dell servers, etc). >> > Is there a way to make console access compliant too? >> >> iLO can be connected to Active Directory so that you can login to iLO (and >> log logins) with personal accounts - but what account you use to get into >> the server from iLO does not have to be your iLO login. >> >> DRAC/VMware I don't know about. >> >> -- >> Sam >> >> _______________________________________________ >> rhelv5-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv5-list >> >> _______________________________________________ >> rhelv5-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv5-list >> > >
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
