Ok guys.....this should be an interesting one....not sure if it is even possible, but here's the deal:

We have about 30 redhat 9 users networked using NIS......all 30 users have the root password to their linux boxes, which of course is the same password for each box.....is there a way to prevent root from becoming another user, (su username), or at least prompt for a DIFFERENT password once you get to that point......as in almost adding an additional layer of security onto it? Please give me any advice you have on this.....if it's not possible, then I am ok with that, or even if there are other ways of going about it.....it would be much appreciated! Thanks!

I...find...it....extremely...difficult....to....read....your....text...so...I...won't....even....bot her....trying....

.....thanks for your help......iceman......
I'll clean it up for your, so that maybe you could offer me a real suggestion to my issue.

We have about 30 redhat 9 users networked using NIS and all 30 users have the root password to their linux boxes, which of course is the same password for each box.
Is there a way to prevent root from becoming another user, (su username), or at least prompt for a DIFFERENT password once you get to that point; as in adding an additional layer of security onto it?

Please give me any advice you have on this if it's possible. If it is not possible, I would be ok with that, so either way I would appreciate any information one had to offer.

Thank you very much,


Sincerely :-)

1. Why would they need the root passwd to their box?!!!
2. Why are they all the same?!!!

Once someone becomes root, it's pretty much game over as far as security goes.

Giving the ClearCaseUsers was just something that was pre-existing when I came into the situation. I had a feeling I was just going to have to change the root password, but I just wanted to confirm there was nothing else I could do, or that there were no more suggestions. Thanks

What exactly are you trying to prevent them from doing? If you're giving them root (and physical) access what's left to secure? Your network maybe?

Hmm, in our uni they have nis and root on individual machines without every machine having the same root password


so my normal username is the same on all machines
yet root is different.

Don't ask me how though not my setup, (*probably a wise decision*)

Actually Proud, thanks for asking that. The real problem is not really the users having root access, but the ability to ssh into a box(which we do allow and that' s ok) and change over to a different user on that box and open a ClearCase View as someone else. It is difficult to track things when you don't know if the user is the one that acutually opened the view! thanks

So you're saying you need to disable remote root login and maybe sudo su to definately stop your problem?

Why have the same root on all machines ?

No as far as I have understood this:

He has NIS or so and all machines have the same root password

su user X logs in as jon doe then does su - and then can do janedoe and read all her dirty knickers stories.

My suggestion is to seperate root on different machines. Its a security risk anyway, imo, if I understood that correctly.

that's almost the situation that happens. It is more like user X ssh's into a box as root, then su - another user and checks out clearcase views as that user...I understand giving users root access is a security risk, and if that is the only suggestion, then we will change the root on every box. I was just curious if there was another way. Thanks!

You can (and should!) disable root login via ssh. Edit /etc/ssh/sshd_config and set :
PermitRootLogin no

This is true regardless of your problems. See sticky thread at top of this forum.
Also, change the root passwds anyway, thus preventing user's from pretending to be someone else. (via su - )