On 16 August 2017 at 00:47, Rick Troth <r...@casita.net> wrote: > > It's arguable that having to enter a password at a "login:" prompt would > actually be /less/ secure. >
Indeed. It can be argued, and I did that a lot :-) A lot of the security rituals we follow were created for problems that don't exist anymore, or never existed at all. https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 The point is that you separate authentication (show RACF your own pass phrase) and access control (whether you are allowed to do this). Add to that the fact that you log the access and annotate that with the console log of the virtual machine. This is much better than mailing lists or spreadsheets to distribute root passwords among those who need to know (and others). We used to run all guests with root automatically logged on, so those with a business need for access did not need a root password. When you know the root password, you can use it in other situations as well. To stress the point, our Linux guests did not even *have* a root password (pretty funny when the application developer brought his manager to demand the root password of the system). But security policy dictated that we had to have a root password and change it every 30 days, so we set a random root password through cron on a weekly basis :-) Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/