> > If I chroot then I can't do much at all right? > > Unless I replicate/link like the entire system, minus login. > > You sai'd that you want to limit them, not I.
I just don't want them to be able to login as root. And I don't want a password for root. If they are on the console though, ok either way. That is a laxness I failed to mention would be ok. > just test it. If your user is not in wheel then he can use login and > enter root password, but even when he knows that password login will > not enter root shell as you are not in wheel, but if you know root > password then you don't need to play those games and you can destroy > something directly ;-) I will maybe poke around more. But again, I don't want anything to depend on root password. It should be empty and still be secure -- only allow password login from console, not remote. Only allow ssh access remotely. And I making sense? I neither want to remember passwords nor have anyone be able to guess them. Which is almost a contradiction. If someone is at the physical console, they can do anything. So I should be able to login to the console w/o password. And remote access only via ssh. Since I haven't figured out how to configure this, instead I set the password to "*" which disallows any password-based login, including physical console. If I ever really need console access, but haven't lost remote access, I should be able to reboot remotely and then go to the machine and alter the boot command line like to use single user mode. I certainly reboot the machines remotely sometimes (e.g. for an upgrade). Though I haven't needed single user mode yet, in a long time. Thanks, - Jay
