From owner-freebsd-net Tue Jun 19 11:21:56 2001 Delivered-To: freebsd-net@freebsd.org Received: from bilver.wjv.com (dhcp-1-101.n01.orldfl01.us.ra.verio.net [157.238.210.101]) by hub.freebsd.org (Postfix) with ESMTP id 051D037B407 for ; Tue, 19 Jun 2001 11:21:52 -0700 (PDT) (envelope-from bill@bilver.wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.1/8.11.1) id f5JILfh20939; Tue, 19 Jun 2001 14:21:41 -0400 (EDT) (envelope-from bill) Date: Tue, 19 Jun 2001 14:21:41 -0400 From: Bill Vermillion To: Cameron Haegle Cc: freebsd-net@FreeBSD.ORG Subject: Re: Securing the root account Message-ID: <20010619142141.C20724@wjv.com> Reply-To: bv@wjv.com References: <008f01c0f8e5$fdca32a0$420fbf8f@hlc02> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <008f01c0f8e5$fdca32a0$420fbf8f@hlc02>; from chaegle@mediaone.net on Tue, Jun 19, 2001 at 12:33:44PM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 19, 2001 at 12:33:44PM -0500, Cameron Haegle thus sprach: > I come from the Windoze side of the playground, where you are able > to rename the Administrator account name, in order to provide a > bit more security. > Can a similar thing be done with FreeBSD? You could, but what you are proposing is the classic 'Security through obsurity model'. That never works. Root is a traditional account name since 1969, but it also maps to user ID 0 as someone else mentioned. Every system requires a user ID 0 no matter whether it is root, larry, manny or moe. Make sure that no one can log in as root anywhere except at the console. You can even elminate root login at the console if your system is not in a 10000% secure location :-) Then the only memember who can use root are those you put in the 'wheel' group. Let's get back to UID 0 for a moment. If anyone can get into that machine, even if they don't have the ability to become super user, and you have named your root account mxtylplx, then anyone on that machine will know that is the admin account by listing any directory in which used ID 0 has a file it owns. Don't putz around with security 'ideas'. Do security in the right manner. Limit the wheel account users. Make sure they keep their login password secure, and keep the root password secure. Get rid of all telnet account and put in SSH so that no clear text passwords ever cross the net. That's just a small step on the way, to locking down a system, but just changing login names won't do it. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message