Richard Wilson escreveu:
> I have a cople of questions about the daily insecurity output. I have an
> anoncvs server, and as detailed in the docs, I set it up without a
> password. Every day, I get an email telling me:
>
> Checking the /etc/master.passwd file:
> Login anoncvs has no password.
>
> This is of course correct operation, and I appreciate the strong and valid
argument that it is a good thing that I am told this. Certainly I would want
to know if there were any other accounts with no password. However, as this is
the only output from the security checks, it means that if I could block the
output for the null-password check, for just this one account, then I would
not normally get an insecurity report. This would mean that when I *did* get
an insecurity report, it would mean that some other issue had arisen, and I
should pay attention.
>
> As such, I ask is there a correct way to tell the system, for this one
account, yes, I know, I'm okay with that, so that it will only email me if
some other issue arises. If not, I will prefer to just keep having to read the
same email every day, rather than reduce safety in some way.
>
> My other question is very similar. On a different server, every day I get a
similar message:
>
> Checking the /etc/master.passwd file:
> Login si1entdave is off but still has a valid shell and alternate access
files in
>        home directory are still readable.
>
>
> Again, this is correct operation, and the system is as I would wish it. I
have used vipw to stick a ! in my password hash field, so that the only
ssh-enabled account can only be accessed using an ssh key, for better
security. Once again, I would like to be able to specify in some way that yes,
I know, only bother me when something I actually care about happens. As a
workaround, is there a string I can put in the hash field that looks like a
password hash, but cannot match any password?
>
>
> In both these things, I am looking to improve the Signal-to-Noise ratio of
these emails, but I would rather keep the Noise than risk losing some Signal
:-)
>
> Ta all,
>
> Si1entDave
>
>
First, you may edit the daily script (it's just a script) to accomplish
what you are wanting. Secondly, to make a ssh user to only being able to
login with a key, and not with a password, you have several options. One
is disable password authentications completely, with the
PasswordAuthentication no in the sshd_config, or could use the the Match
directive to disable only for a user, group, host, etc.

My regards,

--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Reply via email to