On 01/05/09 15:43, Menno Lageman wrote:
> Steffen Weiberle wrote:
>> For my test zones, I usually don't set a password via /etc/sysidcfg. 
>> Usually I don't configure ssh to allow root login, and the zones are 
>> configured with limited network services (secure by default), so I 
>> don't worry.
>> With build 105 (the one with Crossbow integrated), all of a sudden 
>> zlogin fails if the zone does not have a root password. The error is 
>> an incorrect password type of message.
>> # zlogin master
>> [Connected to zone 'master' pts/4]
>> Login incorrect
>> So does logging in on the console. The error messages for this on the 
>> console are:
>> Jan  5 15:04:33 master login: pam_unix_account: zlogin: empty password 
>> not allowed for account root from local host
>> Jan  5 15:04:33 master login: login account failure: Permission denied
>> Is this intentional, or a side effect (especially for zlogin)? I 
>> looked for a flag day and did not find one. Not sure how long this has 
>> been happening. I don't remember it with 101[a]. If not intentional, I 
>> can file a bug.
> It's intentional and present since build 104. See 
> http://opensolaris.org/os/community/on/flag-days/pages/2008111501/
> Menno

Thanks, Menno. Odd that my search did not hit that, maybe because I was 
looking for zone specific stuff. I had wondered what security aspects 
are involved in a 'zlogin', and now that answer is becoming clearer.

On 01/05/09 16:26, Dan Price wrote:
 > I guess you are subject to the desires of the security folks here.
 > I agree that it is mildly annoying.
 > zlogin -S (failsafe) should still work, AFAIK.
 >         -dp

Thanks, Dan. Yes, the '-S' still allows me to get into the zone. My 
work-around was to edit the non-global zone's /etc/shadow file from the 
global zone. Thank *zones* for centralized administration!!!


zones-discuss mailing list

Reply via email to