Ubuntu in the server room - enabling the root account?

I tend to generally believe that passwords are quite a poor way to authenticate users. How many systems have been compromised by automated bruteforce attacks because some users on the system would use "password", "letmein" or their first name as a password? Working in a corporate environment where the average user isn't very technical, I can say a good 10% of the users have poor, if not very poor passwords.

Even for sysadmins; we would tend to either reuse the same password for all the machines, have a different one for every machine and not be able to remember it (or store the passwords in a very poor manner), or... Well, we decided to go the key-authentication way (like many others), and not use passwords at all. Sysadmins & devs can log into the servers with their key, and use sudo (for those with appropriate permissions) without password; adding passwords on top of it would actually bring us back to my first point.

This is perfectly fine for remote SSH access. But I found myself pretty stupid one day when the internet connection of one of the servers went down, I plugged a screen & keyboard in, and got a login prompt - asking for a password. Or another day, when someone broke the sudo on its machine - we could still login, but we had to reboot it into single mode (it was a dev-server, so not *that* bad) to be able to sudo again.

Alright, to my point now: having a root account, with a very easy password to remember, is very, very convenient for servers, in my opinion. Because:

• You do not want to have to reboot your production server in single mode if for some reason you screw something up (sudo / eth* interface / ssh).
• The root user is usually a more "robust" than your own user. It's home is /root (by default), not /home/root, which makes it easy to put on a different partition (so that it can still login if the /home is full). It can be set to use a more "robust" shell; if for some reasons you screw your bash, you can use the root account to use sh (which would eventually be a pain to use on an everyday basis), etc.

There are really a number of ways you can screw your own user up in a way that would prevent you from logging in - and the last thing you would want to do is reboot a server that is being in use (and has 3 years of uptime ). In many of these cases, having a root user properly setup would help. Well then, what's the point of using sudo, and separate user accounts, as many would just use root for "convenience" if they had the password?

My idea on it is that the root password should never be used - never, unless the system is that badly broken that you would have to get physical/serial port access to the server to get it fixed. And my belief is if someone has physical access to the server, then he can have full access to everything anyway, so why not just make it easy? This is where Linux comes into help. Just before the solution, here were my requirements:

• Make it easy for someone with physical access to the server to get an admin access (we have our servers on site - this is still valid if you have a serial connection access though)
• Make it impossible for someone without physical access to use the root account "directly" - let it be ssh root@server, su - root or anything similar.

I spent a long time grepping /etc, I found /etc/login.defs, /etc/securetty, /etc/consoles... Nothing would work. So thanks to Canonical support on that one: you need to enable it into PAM first, by adding in /etc/pam.d/su:

auth requisite pam_securetty.so 

In that /etc/securetty file, you just leave the ones that should be able to log in as root: tty1, tty2, tty3, tty4 in my case. I would love some feedback on this, as it seems fine - but maybe it's not?