Richard Wilson escreveu: > I have a cople of questions about the daily insecurity output. I have an > anoncvs server, and as detailed in the docs, I set it up without a > password. Every day, I get an email telling me: > > Checking the /etc/master.passwd file: > Login anoncvs has no password. > > This is of course correct operation, and I appreciate the strong and valid argument that it is a good thing that I am told this. Certainly I would want to know if there were any other accounts with no password. However, as this is the only output from the security checks, it means that if I could block the output for the null-password check, for just this one account, then I would not normally get an insecurity report. This would mean that when I *did* get an insecurity report, it would mean that some other issue had arisen, and I should pay attention. > > As such, I ask is there a correct way to tell the system, for this one account, yes, I know, I'm okay with that, so that it will only email me if some other issue arises. If not, I will prefer to just keep having to read the same email every day, rather than reduce safety in some way. > > My other question is very similar. On a different server, every day I get a similar message: > > Checking the /etc/master.passwd file: > Login si1entdave is off but still has a valid shell and alternate access files in > home directory are still readable. > > > Again, this is correct operation, and the system is as I would wish it. I have used vipw to stick a ! in my password hash field, so that the only ssh-enabled account can only be accessed using an ssh key, for better security. Once again, I would like to be able to specify in some way that yes, I know, only bother me when something I actually care about happens. As a workaround, is there a string I can put in the hash field that looks like a password hash, but cannot match any password? > > > In both these things, I am looking to improve the Signal-to-Noise ratio of these emails, but I would rather keep the Noise than risk losing some Signal :-) > > Ta all, > > Si1entDave > > First, you may edit the daily script (it's just a script) to accomplish what you are wanting. Secondly, to make a ssh user to only being able to login with a key, and not with a password, you have several options. One is disable password authentications completely, with the PasswordAuthentication no in the sshd_config, or could use the the Match directive to disable only for a user, group, host, etc.
My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
