On Lu, 17 mar 14, 08:43:24, Scott Ferguson wrote: > On 17/03/14 04:44, Andrei POPESCU wrote: > > On Du, 16 mar 14, 01:24:03, Scott Ferguson wrote: > >> > >> In the spirit of investigation I tried testing a few methods of > >> disabling root login (there are likely other methods) > > > > AFAIK the installer uses 'passswd -l'. > > > > Kind regards, Andrei > > > > Thanks for the information. > > >From man passwd (less sssss, same action):- Thanks for spotting that. > "Lock the password of the named account. This option disables a > password by changing it to a value which matches no possible encrypted > value (it adds a ´!´ at the beginning of the password). > > Note that this does not disable the account. The user may still be > able to login using another authentication token (e.g. an SSH key). To > disable the account, administrators should use usermod --expiredate 1 > (this set the account's expire date to Jan 2, 1970). This means that I can drop my ssh key in .ssh/authorized_keys and 'ssh root@hostname' if needed, which I find to be a good thing. > Users with a locked password are not allowed to change their password." > > So "passwd -l" 'might'[*1] have the same effect as the second method I > tried (in the post you refer to) which *does* stop the user rebooting > into single-mode and logging in as root. The ways for a user to > restore root logins in that situation are:- > ;use rescue mode from the installer > ;edit /etc/passwd using another OS > ;append "init=$something" to the boot parameter > ;(as the man suggests) login with ssh - provided you've set a token > and don't have encryption (I'm not sure if I tried that and failed...). > > The method suggested there for administrators 'should' (I haven't had > time to test it) have the same effect as "chage -E 0 root" which won't > prohibit the user rebooting into single-mode and logging in as root. > > Kind regards > > [*1] untested, so I don't know if it adds the "!" to the start of the > relevant line in /etc/passwd or /etc/shadow. I used /etc/passwd. YMMV. I just did a stable install for a friend and decided to use the 'sudo' setup (i.e. pressing Enter on the root password prompt in Debian Installer). The results: /etc/passwd root:x:0:0:root:/root:/bin/bash /etc/shadow root:!:16146:0:99999:7::: Recovery mode works as already demonstrated by Brian: sulogin: root account is locked, starting shell root@<hostname>:~# Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt
Attachment:
signature.asc
Description: Digital signature