[plug] Linux security idea - maybe
Leon Brooks
leon at brooks.fdns.net
Fri Jun 13 00:11:07 WST 2003
On Thu, 12 Jun 2003 23:37, Craig Ringer wrote:
> Here's an example (DO NOT USE w/o first having a console open as
> root, another root console running vi /etc/passwd, and a rescue disk
> handy - just in case):
> /etc/passwd
> root:x:0:0:root:/root:/bin/false
> realsuper:x:0:0:real superuser:/realsuper:/bin/bash
> ....other...users....
> /etc/shadow
> root:*:12165:0:99999:7:::
> realsuper:MD5_PASSWORD_DELETED_FOR_SECURITY:12165:0:99999:7:::
> ....other....users....
> Now, a login as root will always fail, and a login as "realsuper"
> will succeed and give superuser rights. Occasional confusion where
> after login your username sometimes appears as "root" (on created
> files for example) is not unusual, but is not to be stressed about.
How brave are you? (-:
Delete *both* root passwords and have the ssh2 public key from a
seldom-used user on (an)other machine(s) in /root/.ssh/authorized_keys.
If you lose network, you can always use the init=/bin/bash option from
the console anyway. (-: You did password LILO, didn't you? :-)
Cheers; Leon
More information about the plug
mailing list