From owner-freebsd-net  Tue Jun 19 11:21:56 2001
Delivered-To: freebsd-net@freebsd.org
Received: from bilver.wjv.com (dhcp-1-101.n01.orldfl01.us.ra.verio.net [157.238.210.101])
	by hub.freebsd.org (Postfix) with ESMTP id 051D037B407
	for <freebsd-net@FreeBSD.ORG>; Tue, 19 Jun 2001 11:21:52 -0700 (PDT)
	(envelope-from bill@bilver.wjv.com)
Received: (from bill@localhost)
	by bilver.wjv.com (8.11.1/8.11.1) id f5JILfh20939;
	Tue, 19 Jun 2001 14:21:41 -0400 (EDT)
	(envelope-from bill)
Date: Tue, 19 Jun 2001 14:21:41 -0400
From: Bill Vermillion <bill@wjv.com>
To: Cameron Haegle <chaegle@mediaone.net>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: Securing the root account
Message-ID: <20010619142141.C20724@wjv.com>
Reply-To: bv@wjv.com
References: <008f01c0f8e5$fdca32a0$420fbf8f@hlc02>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <008f01c0f8e5$fdca32a0$420fbf8f@hlc02>; from chaegle@mediaone.net on Tue, Jun 19, 2001 at 12:33:44PM -0500
Organization: W.J.Vermillion / Orlando - Winter Park
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Tue, Jun 19, 2001 at 12:33:44PM -0500, Cameron Haegle thus
sprach:

> I come from the Windoze side of the playground, where you are able
> to rename the Administrator account name, in order to provide a
> bit more security.

> Can a similar thing be done with FreeBSD?

You could, but what you are proposing is the classic 'Security
through obsurity model'.  That never works.

Root is a traditional account name since 1969, but it also maps to
user ID 0 as someone else mentioned.  Every system requires
a user ID 0 no matter whether it is root, larry, manny or moe.

Make sure that no one can log in as root anywhere except at the
console.  You can even elminate root login at the console if your
system is not in a 10000% secure location :-)

Then the only memember who can use root are those you put in the
'wheel' group.

Let's get back to UID 0 for a moment.  If anyone can get into that
machine, even if they don't have the ability to become super user,
and you have named your root account mxtylplx, then anyone on that
machine will know that is the admin account by listing any
directory in which used ID 0 has a file it owns.

Don't putz around with security 'ideas'.  Do security in the right
manner.  Limit the wheel account users.  Make sure they keep their
login password secure, and keep the root password secure.

Get rid of all telnet account and put in SSH so that no clear text
passwords ever cross the net.   That's just a small step on the
way, to locking down a system, but just changing login  names won't
do it.

Bill

-- 
Bill Vermillion -   bv @ wjv . com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message