On Mon, May 19, 2008 at 11:58:11AM -0700, Scott Rotondo wrote: > Dale Ghent wrote: > >I haven't been able to follow every message in this busy thread, but > >please fill me on regarding one question I have: > > > >At many sites, 'root' is the only local, non-locked account and all > >other users (aside from the standard system accounts such as > >daemon..nobody) are in NIS, LDAP, or the like and are auth'd via Kerberos. > > > >Given that environment, what would happen in a situation where a box > >under this proposed scheme were to boot into single-user, with network > >access unavailable? > > I'm not answering on behalf of the project team, but I believe this > interpretation will be non-controversial. > > Only local, unlocked accounts can be used to log in if name services are > unavailable. If root is one of those accounts, it would continue to work > as before. > > Under this proposal, another local, unlocked account could be used for > single-user login if
Yes, but, why bother? We can already say that root can only log in on console, but we can't do that (unless this case adds a way to do it) for other local users. What does the username of that one local user matter? Either way, if there's only one then its password will be shared, and auditing goes out the window. It's up to the customer to provide physical security. It's up to the customer to secure access to the console. We provide a way to limit root logins to console logins only. All we need is a way to treat 'root' as a login on console and a non-shared-password role elsewhere. Am I missing something? Nico --
