Well, I don't think so. You only need to logon to the console when you have big problems, and we just have set a really long and complicated password for the root user and stored it away for emergency use in a safe. You still have the external shell protection by restricting who can access the server room. All other users must use sudo anyway, so you don't need the root password on a daily basis, and that's enough for PCI DSS.
/Leif -----Original Message----- From: Brad Tilley [mailto:b...@16systems.com] Sent: den 14 oktober 2010 14:09 To: Leif Blixt; openbsd-misc Subject: Re: Force passwordcheck in login.conf Leif Blixt wrote: > Hi! > > We have just figured out a different approach, and will discuss our new idea with our QSA tomorrow. The idea is to completely turn of the possibility to log in with passwords, and to use SSH key pairs with long and good passphrases instead. It will lead to more work with administrating accounts and there is a small problem on how to distribute the public key to all servers, but we don't have to set up a RADIUS server just yet! > > I will let you know what the response from our QSA is. > > /Leif Can you do that? I think local logon would still be an issue, at least the way I read it. Anyone in front of the machine at a console would be subject to the requirements. Brad