Disabling root logins
Hello.
I was wondering how people feel about completely disabling root logins?
To do so, I'm thinking I would edit /etc/passwd, and put /bin/false, or something comparable, as the default shell for root.
The goal is to always require sys admins to log in as themselves, including at the console, for accountability/tracking purposes.
I'm thinking we would use sudo to work with root privileges.
Again, the purpose is not to limit what sys admins can do, just to require them to login as themselves, even from the console.
Thanks,
Steve Adams
Ithaca College
# 1
changing the shell from an interactive one to non-interactive is probably not the best idea.
also, understand that if you change root's password to "NP" for instance, you'll have problems if you reboot to single and are prompted to input root's password if there isn't a password.
others may chime in with better suggestions, but sometimes you have to look at security and weigh the risks of a really bad situation that security will eventually prevent you from fixing - jeff
# 2
In /etc/default/login
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console
Change to:
CONSOLE=
Then root will not be able to login directly from anywhere. Users can still log in and su to root. This method can give you an audit trail of sorts.
You will have to check what happens in the case of login to single user mode.
# 3
it works, you can login in single user (if you boot -s) nobody is able to login at console once in multiuser mode.
Perhaps you want to look at this in the event you have any startup scripts trying to do an "su - <someuser>" during boot up, I'm not sure how that will affect/if it affects those scripts. If you don't have that, then this works fine - jeff
