On 8/30/06, McKown, John <[EMAIL PROTECTED]> wrote:
If I were doing this in a business environment, I would insist on digital certs and not even allow the use of passwords (and disable telnet as well, for that matter). That would only leave logging in via the "console" under z/VM and/or the "HMC Integrated ASCII terminal" for non-SSH logins. I actually run z/Linux under Hercules/390 for my
In my former life we had inittab automatically logon root on the VM console, so that was protected by z/VM RACF and LOGONBY (and SCIF ...) And we used sudo without password to issue privileged commands from our personal account (access via cryptic keys). So nobody needed a root password and there was no risk of someone else finding and using it. Unfortunately the auditors required that we set a root password and change it every now and then. Which means there *is* a root password and someone might find it, and we're off worse than without. Sigh. The same silly discussion applied to personal accounts but we stopped fighting that. Fortunately the ssh logon with crypic keys does not honor the account being "locked" so we could simply lock all other accounts and not bother with expiring passwords. Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
