Given the available options I would vote for allowing no-password logons to Linux via the console. Because:
- Recording passwords is bad policy. Anyone who sees a console or console listing can then use the discovered passwords elsewhere. - Depending on keyboard mapping and special characters used (# ^ [ ]), logon to Linux becomes difficult or impossible via the 3215. - Access to the console can (should!) be restricted by regular VM security or ESM, the only possible problem being that some sites require >8 character upper-lower case passwords for their UNIX-type systems. Ray Mrohs U.S. Department of Justice 202-307-6896 > 1) For Linux on Z, there is no legitimate reason to be using > the console > for anything but emergencies that have broken network access to the > guest. ssh with keyrings and sudo are for normal maintenance and > operations access. If the server is so horked that you need > the console, > you DEFINITELY don't want J Random Luser messing with it. In that > scenario, the people who will be working at the console > already HAVE the > root password or an equivalent security token and can do as > much damage > as they like. You aren't improving the security of things any by > requiring the extra login at the console. > > 2) You have a authentication method as strong as the Unix > login already > in place (the VM userid login), assuming that you have decent password > policies in place already for the VM side (and if not, why not?). > > 3) You can audit the living heck out of the VM login with an ESM, and > even without one, CP does some fairly decent logging that's really, > REALLY hard to circumvent. > > 4) LOGONBY can be selective -- no need to give them access to > *everything*. > > I guess I'm more confident in the VM side of the world and the audit > capabilities there. I think I'd be able to make the case to an hostile > auditor. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
