Robert L Cochran
cochranb at speakeasy.net
Mon Jun 15 21:38:44 UTC 2009
The "locked box" approach is probably not used in very large
enterprises. At least not where I work (> 100,000 employees, > 98,000
Tier 3 workstations.)
On 06/15/2009 03:14 PM, Phil Meyer wrote:
> Mike Dwiggins wrote:
>> I installed Fedora 11 on a dual-boot machine. When I booted up on
>> the Fedora partition I went straight to /etc/pam.d/gdm and deleted
>> the line which keeps out root as a login.
>> I still cannot login as root! Did this version hide a block on root
>> somewhere else?
> Many have answered properly here, but it may not be common knowledge
> how it is done professionally in large shops.
> In most big data centers, the root password is not known to anyone,
> but is kept in a sealed envelope in a locked drawer at the operations
> center, which is manned 24x7. It takes manager approval to open the
> desk, lock-box, envelope, and get the root password.
> Consider that, next time you 'think' you need to log in as root. I
> personally have administered UNIX/Linux systems for years at a time
> without ever typing the root password, or logging in as root.
> During automated installs, and all large shops do/should be doing
> automated installs, the root password is set.
> Management, and the operations staff can set the root passwords across
> all systems at once, and without notice to me or any other administrator.
> In fact, normal users cannot log into most systems, and administrators
> can only log in remotely with ssh keys (no passwords) to the systems
> that they administer.
> Just a thought. It was never intended that casual users ever log in
> as root on any UNIX based system, and should have been less prevalent
> on Linux for many years.
> I myself, felt it necessary to log in as root on Linux systems for one
> post install session, up until about Fedora 2. But not since then.
> Good Luck!
More information about the users