Date: Fri, 11 Nov 2005 17:47:57 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: Re: upgrading 5.4 -> 6.0 without reinstalling. safe ? Message-ID: <200511111647.jABGlvD4070834@lurza.secnetix.de> In-Reply-To: <35c231bf0511100803n14674398u3dedbee245c9f264@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Kirchner <dpk@dpk.net> wrote: > On 11/10/05, Oliver Fromme <olli@lurza.secnetix.de> wrote: > > Well, I vote for /sbin/nologin as root's login shell. > > > > In single-user mode, the systems asks for the shell, with > > /bin/sh being the default. In multi-user mode, nobody > > should ever log in as root. You rather log in as normal > > user and then use "su -m", or use sudo(8) or super(1) or > > whatever. > > It's awkward to have to reboot a machine just to log in to it from a > console. I don't have to reboot to do that. > Let's say you're colocated and utilize a "remote hands" > service, or you make a mistake with your firewall. You're better off > disabling root logins in sshd_config, so no one can use root from > remote. You mean: No one can log in as root. You can still use root from remote, by logging in as normal user and then using one of the various methods (su, sudo, super, ...). > Then you can leave a password on the root account and still > have console access. Console access, root login and having a password on the root account are all different things. They're not necessarily dependant on each other. > I just leave root logins enabled and use ssh keys. Leaves a very nice, > easy to follow, one-line-per-login "paper trail" of who logged in as > root from where and when. su, sudo etc. do the same. Another advantage of using su (particularly "su -m") is the feature that you can use your own favourite shell, your usual aliases, keybindings etc. while being root. Otherwise, on machines where multiple admins log in as root, they tend to clutter root's profiles with their own stuff which confuses the others and might even conflict with settings of others. This is a bad thing and can cause damage. Logging in as root should be considered harmful, IMHO. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Clear perl code is better than unclear awk code; but NOTHING comes close to unclear perl code" (taken from comp.lang.awk FAQ)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511111647.jABGlvD4070834>