1748226 Members
4261 Online
108759 Solutions
New Discussion юеВ

Re: Remove Root Password

 
amit mehta_2
Regular Advisor

Remove Root Password

Hi,

I have one linux machine on which i want to delete the root password.
My aim is to issue some commands(mostly which require root priviledge) from remote machines and for which i'm thinking of issuing rsh(not the kerberos rsh) from remote machines.
i.e.
[user@remote] /usr/bin/rsh -l root

To achieve the same, i did:
[root@target] passwd -d root
[root@target] service sshd restart

After this i checked the /etc/shadow file on and it's
entry was removed, but still the target machine prompts for password
and as i've already deleted the password, hence even if i provide the
correct last password, it doesn't work ;(

[user@remote] /usr/bin/rsh -l root "/usr/bin/date"
root@'s password:
Permission denied, please try again.

what am i missing.
i know i can setup password less ssh, but why *this* not working.
i remember being able to do this on HP-UX 11iV3 Successfully, only instead
of 'rsh', i had 'remsh'

~amit
7 REPLIES 7
Pieter 't Hart
Honored Contributor

Re: Remove Root Password

could be several things
1) the passwords on the local and target hosts are not the same.
2)the local-user account is not known at the remote host

You can also use "hosts.equiv" and ".rhosts" files to accept logins without specifying a password.
Matti_Kurkela
Honored Contributor

Re: Remove Root Password

First, the sshd service is not at all related to rsh access. The service used by the rsh client is named "rshd". In modern Linuxes, it is not installed by default: you must actively choose to install and enable it.

And by the way, there is no need to restart sshd if you change (or even delete) passwords: sshd will detect the change automatically.

Many remote login services in Linux have a safety feature: if an account has no password, it cannot be used for remote connections. This is usually implemented with the PAM settings (in the /etc/pam.d directory): either the "auth" section for the service does not have the "nullok" option, or it uses the "nullok_secure" option which allows only local logins if password is not set.

Sometimes other accounts will be allowed to go without passwords, but the root account is the most likely to have this protection.

This feature was developed because too many newbie Linux users connected their machines to the Internet with no passwords or any other protection, got their machines hacked, and then complained about it to the builders of their Linux distribution.

With remote logins, the machine will always prompt for a password, even if the specified user account is locked or even non-existent: this is to prevent anyone with no valid user account from finding out which usernames do exist on the system.

My advice: *never* allow a passwordless root account. Leaving a root account without a password is a quick way to lose a sysadmin job if someone requires a security audit. A good Unix sysadmin should *instinctively* react to passwordless root accounts with the deepest suspicion.

MK
MK
savus
Advisor

Re: Remove Root Password

Hello,
I attached a doc how make a remote login using ssh on linux. I used this for sending automated commands with a script on several Linux machines. Hope that this help
Chris Vail
Honored Contributor

Re: Remove Root Password

As a Unix security auditor, I immediately mark as 'non-compliant' any system that uses remsh, rsh or any of the Berkley-style remote services. They are hideously, notoriously unsecure and should be eliminated from your systems. Do not write scripts or use any procedures that use them!

Secure shell is so easy to install and use, (its free) that there is no reason to use anything else. It even scripts much more nicely than the Berkley processes do.
Court Campbell
Honored Contributor

Re: Remove Root Password

Set a password for root. Not having a root password is just stupid IMO. Then use ssh between boxes. To make it more secure create a pub/priv key for root (without a pass phrase). And then set

PermitRootLogin without-password

in sshd_config. By doing this root can only login with key authentication. The other part I like is that even if you know root's password it won't let you login.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Court Campbell
Honored Contributor

Re: Remove Root Password

Also, you could just setup sudo access for a user on the box and just run the sudo commands remotely via ssh.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Kevin Wright
Honored Contributor

Re: Remove Root Password

is rexec running? what do you have in /etc/securetty?

Also, as others stated, this is a bad idea, use ssh. no reason to even install the r-tools.