[Freeipa-devel] command-line arguments
Andrew C. Dingman
adingman at redhat.com
Fri Sep 7 17:05:54 UTC 2007
On Fri, 2007-09-07 at 12:51 -0400, Simo Sorce wrote:
> On Fri, 2007-09-07 at 12:45 -0400, Andrew C. Dingman wrote:
> > On Fri, 2007-09-07 at 11:57 -0400, Simo Sorce wrote:
> > > On Fri, 2007-09-07 at 11:42 -0400, Andrew C. Dingman wrote:
> > > > On Fri, 2007-09-07 at 11:27 -0400, Simo Sorce wrote:
> > > Not all systems let you login without the root password even in
> > > single-user mode.
> >
> > I don't know of a Linux distribution where I can't get around the
> > password for maintenance, but I'll have to take your word for it on
> > other systems.
>
> IIRC Debian always ask you for the root password, sure you can always
> boot with a rescue disk, but that's cheating :)
True enough, but even on a Debian system, 'init=/bin/bash' gets around
this problem. No rescue disk needed ;)
My /next/ home server will run RHEL, FDS, and Fedora Certificate System,
but right now they're all Debian boxen.
> > > > > Also it make it impossible for users to join the machine and keep
> > > > > themselves control on it. In some enterprises that is not wanted but in
> > > > > many R&D departments that's a necessity.
> > > >
> > > > Sudo solves many problems, including this one. In fact, I run a number
> > > > of my machines with no root password and all administration done through
> > > > sudo. The FDA auditors loved that.
> > >
> > > I love sudo as well, we are plannig to support it asap with the work on
> > > policies.
> >
> > In that case, I think the argument for considering root in IPA is much
> > weaker. Sudo and no root password at all is a better solution. If you
> > support sudo through IPA, then any admin who wants to can just remove
> > the root password from the local system. I had assumed that sudo support
> > would be a v2 goal.
>
> yeah sudo will be v2, but nobody will prevent yo9u to use sudo with
> IPAv1, its just that you will have to replicate the configuration on
> multiple machines on your own.
Isn't there a pre-existing LDAP schema for this? Not that I've used it,
but that should simplify the replication considerably, especially if
you've already automated setting up the FDS instance. Perhaps I should
download the code and actually play with it a bit.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/bd57bd9c/attachment.sig>
More information about the Freeipa-devel
mailing list