2

This is a two part question. Firstly, I am just looking to validation, if I am doing this correctly since I am not sure how to test this. The goal is to disallow the login of the root account and have everyone use sudo. To achieve this, I am putting a lock on the root account preventing anyone from logging in as root. If the need should arise, I can always make an account with full permissions and run commands intended for root through sudo. This leads me to my second question, but I will ask that near the end.

The reason I am also looking for validation is because when I did research on the topic and how to achieve this, the discussions were old and suggested that people initially set a password via rootpw in their kickstart file, then write a script in %post that edited the /etc/shadow file to set the password to something else, or use !!. I looked at my Amazon EC2 instance to see what Amazon did for the root account and it looks like this:

root:*LOCK*:14600::::::

I am assuming the reason its locked is because of the * and not the *LOCK*. If my assumption is correct, then would:

root:*LOCK*:14600::::::

Be the same as?:

root:*:14600::::::

That being said, in my kickstart file I edited the line about the rootpw to look like the following:

rootpw --iscrypted *

After the installation, my /etc/shadow file looks like the following:

root:*::0:99999:7:::

Therefore my first question is, would this be a correct way to lock the root account?

Secondly, on the topic I mentioned earlier, not using root. Are there any particular circumstances where this is not recommended? If so why would a full access account with sudo (so you have auditing), not suffice?

Alex Mikhaelson
  • 107
  • 1
  • 2
  • 7

1 Answers1

4

The defined way of locking the root account in a kickstart is with:

rootpw --lock
  • --lock - If this option is present, the root account is locked by default. This means that the root user will not be able to log in from the console. This option will also disable the Root Password screens in both the graphical and text-based manual installation.
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I tried --lock, however when you view /etc/shadow after the installation, it looks like the following `!!$6$CntKNviGi56xZzJH$vlhJg9zwwe.rMAnQ6O/t64E1okmDedGOC1DJQsTcQwR9wgJB/DkCm00ht7El9eNvwAPfLOZ.mUH1cVi.OpZfp1` I have no idea what was used to result that hash, as well as `!!` an indicator that a password was never set, not that it was locked. – Alex Mikhaelson Dec 14 '17 at 00:18
  • Interesting, I have no idea where the hash came from. But `!!` definitely indicates that it is locked. – Michael Hampton Dec 14 '17 at 01:13
  • 1
    The hash comes from hashing a null password with the salt... just press enter `python -c "from passlib.hash import sha512_crypt; import getpass,string,random; print sha512_crypt.using(salt='CntKNviGi56xZzJH' ,rounds=5000).hash(getpass.getpass())"` – user9517 Dec 14 '17 at 06:58
  • @user430214 ah! That makes sense now. – Alex Mikhaelson Dec 14 '17 at 17:41