* J. Bruce Fields (bfields@fieldses.org) [031012 19:34]: > On Mon, Oct 13, 2003 at 10:15:16AM +0800, Sacha Chua wrote: > > "J. Bruce Fields" <bfields@fieldses.org> writes: > > > > > I'd like to configure a debian box to allow root logins without a > > > password; what do I need to do? The relevant line in the password file > > > is > > > root::0:0:root:/root:/bin/bash > > > I thought the empty password field would do the job, but apparently not. > > > There is no /etc/shadow file. > > > > You probably don't want to do that, as that will give everyone access > > to everything on your box. > > As far as I know I don't have anything (sshd, ftpd, etc.) installed that > allows remote logins. I'm willing to trust anyone who has access to the > console. You could add a line in /etc/issue, saying something like "log in as root, with the password 'l33th4x0r'". It's epsilon better than no root password at all. =) > Anyway, to answer my original question, it looks like what I needed to > do (in addition to making sure there was no root password in > /etc/passwd) was add "nullok" after some pam_unix.so's in the files in > /etc/pam.d/. Alternatively, you could use pam to say that logging in from a line in /etc/securetty is sufficient. That way, you still have a secret password, but console access gets you a free login anyway, and you're protected from any other entry points that may be beyond "as far as I know". I'm just throwing out ideas. It sounds like your solution is good enough for the balance of security and convenience for your particular application. You'll get a lot of "you don't want to do that" in response to a question like this, because most people's applications require more security. That doesn't mean that _every_ application does. good times, Vineet -- http://www.doorstop.net/ -- "Extremism in the defense of liberty is no vice. Moderation in the pursuit of justice is no virtue." -- Barry Goldwater
Attachment:
signature.asc
Description: Digital signature