Gregory Shaw wrote: > I'd like to add something. Correct me if I'm wrong, but as I > understand it, if you can't log in as a regular user, you can't do > anything as root.
Actually as of build 62 you will be able to remotely login as a role over ssh if you are using ssh with hostbased auth (but NOT password or pubkey - not sure about the status of GSS-API auth yet I need to check on that one). > So, should NFS time out on a login, or some other similar situation > occur (name services broken, etc.), you can't log in as the user, and, > you can't log in as root to fix the system. Which is exactly the reason why root is not a role by default and I'm only suggesting doing so when we create a local account as part of the initial install. > I've had to fix far too many broken systems in the middle of the night > as root to want to lose that functionality. Many of the systems were in > such a bad state that they only barely made it to single user. Even when root is a role it can still be used to authenticate in single user mode. The reason being is that we assume that a) there is a OBP/BIOS or GRUB password set and b) the console is secured by some means external to the Solaris instance (eg ILOM, annex, physical terminal in a locked room etc). For those cases where the machine can reach multi user it might be acceptable to allow root to login directly on the console if it is sufficiently secured (and audited) by other means. To allow that add the following single line to /etc/pam.conf login account required pam_unix_account.so.1 What this does is ensure that pam_roles.so.1 is NOT in the stack for console login, since by default login uses the 'other' account stack but has its own auth stack. However I would NOT recommend doing that for the laptop or single workstation case where there is a local account with a local home directory. -- Darren J Moffat
