[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: passwordless root login

* J. Bruce Fields (bfields@fieldses.org) [031012 19:34]:
> On Mon, Oct 13, 2003 at 10:15:16AM +0800, Sacha Chua wrote:
> > "J. Bruce Fields" <bfields@fieldses.org> writes:
> > 
> > > I'd like to configure a debian box to allow root logins without a
> > > password; what do I need to do?  The relevant line in the password file
> > > is
> > > root::0:0:root:/root:/bin/bash
> > > I thought the empty password field would do the job, but apparently not.
> > > There is no /etc/shadow file.
> > 
> > You probably don't want to do that, as that will give everyone access
> > to everything on your box.
> As far as I know I don't have anything (sshd, ftpd, etc.) installed that
> allows remote logins.  I'm willing to trust anyone who has access to the
> console.

You could add a line in /etc/issue, saying something like "log in as
root, with the password 'l33th4x0r'".  It's epsilon better than no root
password at all. =)

> Anyway, to answer my original question, it looks like what I needed to
> do (in addition to making sure there was no root password in
> /etc/passwd) was add "nullok" after some pam_unix.so's in the files in
> /etc/pam.d/.

Alternatively, you could use pam to say that logging in from a line in
/etc/securetty is sufficient.  That way, you still have a secret
password, but console access gets you a free login anyway, and you're
protected from any other entry points that may be beyond "as far as I

I'm just throwing out ideas.  It sounds like your solution is good
enough for the balance of security and convenience for your particular
application.  You'll get a lot of "you don't want to do that" in
response to a question like this, because most people's applications
require more security.  That doesn't mean that _every_ application

good times,
"Extremism in the defense of liberty is no vice.
Moderation in the pursuit of justice is no virtue."  -- Barry Goldwater 

Attachment: signature.asc
Description: Digital signature

Reply to: