On 17/03/14 04:44, Andrei POPESCU wrote: > On Du, 16 mar 14, 01:24:03, Scott Ferguson wrote: >> >> In the spirit of investigation I tried testing a few methods of >> disabling root login (there are likely other methods) > > AFAIK the installer uses 'passswd -l'. > > Kind regards, Andrei >
Thanks for the information. >From man passwd (less sssss, same action):- "Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password). Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970). Users with a locked password are not allowed to change their password." So "passwd -l" 'might'[*1] have the same effect as the second method I tried (in the post you refer to) which *does* stop the user rebooting into single-mode and logging in as root. The ways for a user to restore root logins in that situation are:- ;use rescue mode from the installer ;edit /etc/passwd using another OS ;append "init=$something" to the boot parameter ;(as the man suggests) login with ssh - provided you've set a token and don't have encryption (I'm not sure if I tried that and failed...). The method suggested there for administrators 'should' (I haven't had time to test it) have the same effect as "chage -E 0 root" which won't prohibit the user rebooting into single-mode and logging in as root. Kind regards [*1] untested, so I don't know if it adds the "!" to the start of the relevant line in /etc/passwd or /etc/shadow. I used /etc/passwd. YMMV. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
