Classification: UNCLASSIFIED
this should be off-list but I can't. you can find me at pattonme at yahoo dot com
PermitRootLogin forced-commands-only
is precisely what you need. If the auditors really are too stupid to know what that does, then I'd tell them to come back after they have somebody 'splain it to them and they rewrite their simpleton "policy". Like I said, sounds like the auditors are just checking boxes without knowledge of what they are actually checking. Typical, unfortunately.
You can of course leave
"PermitRootLogin no # for stupid auditors"
in sshd_config and change /etc/init.d/sshd to put the "-o PermitRootLogin" on the command line. You could even bury it in an options file. *grin*
From a system auditing standpoint where one tries to minimize the number of places where security policies are stored, I'd use sudo and as a real account, not "nobody".
Have fun with the daemon.
-- Linux-cluster mailing list Linux-cluster@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/linux-cluster