To get around the problem of having to change the root password every time a sys admin leaves the organization Solaris is hardened as follows. in /etc/default login. CONSOLE Restricted permissions on su so only certain groups can run it. That way its really difficult to log in as root even if the root password is known. For OpenSSH PermitRootLogin is set to without-password and a key is added to the authorized_keys file for each sysadmin. BUT if in sshd_config UseLogin is set to yes then RSA keys cannot be used to get in as root. If UseLogin is set to no then sshd doesn't do the keylogin, therefore, no home directory (dh Secured NFS). and resticted access to the NIS+ maps. Should sshd be fixed to handle the keylogin. (Obviously this could only work with password auth) Tim McGarry
> then sshd doesn't do the keylogin, therefore, no home directory (dh Secured > NFS). and resticted access to the NIS+ maps. > > Should sshd be fixed to handle the keylogin. (Obviously this could only work > with password auth)keylogin is handled by pam_unix on Solaris and since sshd always calls pam_setcred if it was built with PAM support this should just work. If you want AUTH_DH secured NFS then you can't use publickey authenticatio with sshd since you need to supply your secure rpc key (which is usually the same as your login password). -- Darren J Moffat
> To get around the problem of having to change the root password every time a > sys admin leaves the organization Solaris is hardened as follows.Gratuitous editorial remark: Wouldn't it be better to avoid having a widely known root password and use sudo instead which does user based authentication? That is what we do and it works well.> Restricted permissions on su so only certain groups can run it. > > That way its really difficult to log in as root even if the root password is > known.This sounds like a reinvention of a the "wheel group". You might want to do a search in google of 'site:gnu.org "wheel group"' which will turn up an interesting news discussion about this topic. IMNHO it really just means you need to two passwords, root's plus someone in the wheel group as well. And if you were root before then it should be easy to have set up an account in the wheel group that you know the password. That way when you do leave the company you are all set to be disgruntled at a moments notice and break back in later. ;-) Bob