Disable Root

dsenable root

bash-3.2# dsenableroot help

dsenableroot:: Enable or disable root user with Directory Services. Version 10.5.3 Usage: dsenableroot [-d] [-u username] [-p password] [-r rootPassword] Example 1: dsenableroot Attempt to enable root account. Your username will be used. Both passwords will be prompted for. Example 2: dsenableroot -d -u username Attempt to disable root account. Only user password will be prompted for. In all cases passwords cannot be empty strings.

Also Casper has built in features to change passwords in the accounts tabs of machines scoped. You can do it from the web interface via policy.

-Tom

The problem with "dsenableroot -d" for disabling root is that it prompts for a password. If you use the -u and -p arguments to pass username and password so it doesn't prompt for a password, you risk those credentials showing up in the process table in clear text. You also risk them being passed over the network in clear text unless you use a secure protocol for all your JSS client communication.

# remote the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority

# Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*'

We put the commands above in a policy script which is scoped appropriately.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

what's the difference between doing

# remote the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority # Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*'

and

# Disable root login by setting root's shell to /usr/bin/false dscl . -create /Users/root UserShell /usr/bin/false

@jwojda the first method disable all authentication, while the second one only disable logging in.

It's not a very complete response, but the first one is safer.