Leif Blixt wrote: > Well, I don't think so. You only need to logon to the console when you have > big problems, and we just have set a really long and complicated password for > the root user and stored it away for emergency use in a safe. You still have > the external shell protection by restricting who can access the server room. > All other users must use sudo anyway, so you don't need the root password on > a daily basis, and that's enough for PCI DSS. > > /Leif
Requirement 8.5 applies to "non-consumer users and administrators" I would assume that means root at a local console. Let me know what your QSA determines. It seems some of this is open to interpretation and depends on the opinion of the QSA. Brad > -----Original Message----- > From: Brad Tilley [mailto:[email protected]] > Sent: den 14 oktober 2010 14:09 > To: Leif Blixt; openbsd-misc > Subject: Re: Force passwordcheck in login.conf > > Leif Blixt wrote: >> Hi! >> >> We have just figured out a different approach, and will discuss our new idea >> with our QSA tomorrow. The idea is to completely turn of the possibility to >> log in with passwords, and to use SSH key pairs with long and good >> passphrases instead. It will lead to more work with administrating accounts >> and there is a small problem on how to distribute the public key to all >> servers, but we don't have to set up a RADIUS server just yet! >> >> I will let you know what the response from our QSA is. >> >> /Leif > > Can you do that? I think local logon would still be an issue, at least > the way I read it. Anyone in front of the machine at a console would be > subject to the requirements. > > Brad
