On Thu, Nov 11, 2010 at 09:06, Domenico Viggiani <[email protected]> wrote: >> Marti, Robert wrote: >> I wonder why you think Ubuntu does that for security? >> >> ... >> While your plan should work, is there a reason behind it? (besides the > noted >> fsck problem) > Yes, and it is not for security, in strict sense :-) > Recent normative in Italy require to avoid "impersonal" administrative > access. > I solved configuring personal, centralized authentication to Active > Directory and doing "su -" everytime I need administrative access. In this > way, every root login can be tied to a name and I'm compliant with rules. > I'd like to go a step further, avoiding shared knowledge of root password at > all and I was thinking to an extensive use of "sudo", as suggested in many > contexts. >
> Thus, don't think to practical reasons but help me to disable generic root > access, with the obvious escapes in case of disaster (no network, rescue, > etc) There are many ways of doing this.. I used the following to meet standards you have above. 1) Root account has a generated password that is saved in an envelope etc for emergencies. 2) Password hash is centrally managed so that if it changes, a flag email goes out and it is changed back to the stored one. 3) Accounts only have sudo access to systems. Procedure wise the root password is locked away per system in a safe. When it needs to be used, a) the process is log access to the safe, b) give the person the envelope, c) make a new centrally managed password for that system and new envelope. d) have person log in with that password for such reasons and then push out new password to system. In the case where something like puppet or cfengine is in place then the password is made, changed on the system, sealed in the envelope and put away in the safe. In general this works. One can even get away from having a root password if one is ok with allowing a rescue disk to fsck etc. Hope that helps. > Thanks > -- > DV > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Let us be kind, one to another, for most of us are fighting a hard battle." -- Ian MacLaren _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
