My ongoing experiences with Ubuntu, and later Mythbuntu, as a media center with MythTV. I'm also using the system for a virtual machine server, a mediawiki server and a general all around home infrastructure base.

Sunday, September 28, 2008

Locking, but not expiring, root

I don't want to allow direct root login (not just via ssh as described here but via console or any other way. Basically I want to make it so everything has to go through sudo. (Why? Because I like the fact everything is traceable back to given user.)

I had previously tried using 'passwd -l' as root to lock that account, but that seems to have the unwanted side effect of causing root's cron jobs to fail, as I see the following message in syslog whenever a roon cron job comes time to run:

CRON[11591]: User account has expired


The solution I found is as follows. Before you do this you want to make sure you have the ability to do things as root via sudo, or you will lock yourself out (see here for directions on this).

First, I undid what I did before and unlock the account (skip this if you didn't previously lock the root account):

# passwd -u root
Password changed.

Then edit /etc/shadow by hand and change root's password field to "!", e.g.:

# grep root /etc/shadow
root:!:14145:0:99999:7::1:


Just to make sure test the setup by running 'ssh -l root localhost' and try logging in. You shouldn't be able to.

No comments: