On Tue Feb 05 15:46:15 CST 2008, "Stricklin, Raymond J" <[EMAIL PROTECTED]> wrote:
> >> Ohh, I can. If login for non-root users is broken for any >> reason, you're done. (Seen that happen a number of times on >> Intel/AMD systems.) > > That's precisely the sort of thing I was thinking of. The nologin > situation is also a good one. I haven't worked enough with this > part of > Linux to have been more specific, so I chose to punt. If we were > talking > about, for example, Sun or pSeries, I would've been more > strenuous in my > recommendation. > > ok > r. Something we do on my desktop distribution, is require gpg-agent for logging in, if it's installed, and the user has a GPG key (in this case, root). gpg-agent allows you to have more levels of security. You can tie it to the systems xsession file to further secure X sessions... and you can add it to the system profile to to further secure terminal (and console sessions). Depending on how you write your .profile script, it could be required *only* if logging in on the console. What does it do? It requires the person logging in to also enter their gpg key pair passphrase, or get bumped out. It will then cache the passphrase in memory as a daemon during that login session, if you tell it to. How would I deploy it? I'd set your system's /etc/profile or /etc/bash_profile (if root shell is bash) to test for the TTY it's on, if it's on your console TTY, require gpg-agent to execute and finish with a 0 exit code... if any other exit code, exit the shell immediately. Then, keep the passphrase as either an impossible unknown (never allowing root login on console, but user accounts could)... OR Keep the passphrase with whatever responsible management, where only management could release the passphrase if there were an emergency... followed by an act of requiring a passphrase change after such an emergency. This allows you to have a root password + a GNUGP (GPG) passphrase. You can also enable this for network logins, if you wish. Say network logins require authenticating with an SSH key (not a unix password) + a GnuPG passphrase, in a two level authentication. Hope this helps. *Brandon Darbro ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
