Re: When fogetting assigned login name rather than password (and disabling root login)
On 17/03/14 04:44, Andrei POPESCU wrote:
> On Du, 16 mar 14, 01:24:03, Scott Ferguson wrote:
>>
>> In the spirit of investigation I tried testing a few methods of
>> disabling root login (there are likely other methods)
>
> AFAIK the installer uses 'passswd -l'.
>
> Kind regards, Andrei
>
Thanks for the information.
>From man passwd (less sssss, same action):-
"Lock the password of the named account. This option disables a
password by changing it to a value which matches no possible encrypted
value (it adds a ´!´ at the beginning of the password).
Note that this does not disable the account. The user may still be
able to login using another authentication token (e.g. an SSH key). To
disable the account, administrators should use usermod --expiredate 1
(this set the account's expire date to Jan 2, 1970).
Users with a locked password are not allowed to change their password."
So "passwd -l" 'might'[*1] have the same effect as the second method I
tried (in the post you refer to) which *does* stop the user rebooting
into single-mode and logging in as root. The ways for a user to
restore root logins in that situation are:-
;use rescue mode from the installer
;edit /etc/passwd using another OS
;append "init=$something" to the boot parameter
;(as the man suggests) login with ssh - provided you've set a token
and don't have encryption (I'm not sure if I tried that and failed...).
The method suggested there for administrators 'should' (I haven't had
time to test it) have the same effect as "chage -E 0 root" which won't
prohibit the user rebooting into single-mode and logging in as root.
Kind regards
[*1] untested, so I don't know if it adds the "!" to the start of the
relevant line in /etc/passwd or /etc/shadow. I used /etc/passwd. YMMV.
Reply to: