From owner-freebsd-net Tue Jun 19 14:25:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from gopostal.digi.com (gopostal.digi.com [204.221.110.15]) by hub.freebsd.org (Postfix) with ESMTP id 0E40E37B40E for ; Tue, 19 Jun 2001 14:25:44 -0700 (PDT) (envelope-from chaegle@mediaone.net) Received: from minx.dgii.com (minx.digi.com [204.221.110.36]) by gopostal.digi.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M9G4L5BM; Tue, 19 Jun 2001 16:25:43 -0500 Received: from hlc02 (hlc02.digi.com) by minx.dgii.com (5.x/SMI-SVR4) id AA01575; Sat, 14 Aug 1999 19:49:04 -0500 Message-Id: <00e601c0f906$7b6c29a0$420fbf8f@hlc02> From: "Cameron Haegle" To: "Lars Fredriksen" , Cc: References: <008f01c0f8e5$fdca32a0$420fbf8f@hlc02> <20010619142141.C20724@wjv.com> <3B2FA0EE.11BB33B@odin-corporation.com> Subject: Re: Securing the root account Date: Tue, 19 Jun 2001 16:26:03 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-Mimeole: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to thank everyone for their input on this issue. I will take everyone's input into serious consideration, before I fo forward. Thanks..... Cam ----- Original Message ----- From: "Lars Fredriksen" To: Cc: "Cameron Haegle" ; Sent: Tuesday, June 19, 2001 1:58 PM Subject: Re: Securing the root account > Very well put! > > Lars > Bill Vermillion wrote: > > > On Tue, Jun 19, 2001 at 12:33:44PM -0500, Cameron Haegle thus > > sprach: > > > > > I come from the Windoze side of the playground, where you are able > > > to rename the Administrator account name, in order to provide a > > > bit more security. > > > > > Can a similar thing be done with FreeBSD? > > > > You could, but what you are proposing is the classic 'Security > > through obsurity model'. That never works. > > > > Root is a traditional account name since 1969, but it also maps to > > user ID 0 as someone else mentioned. Every system requires > > a user ID 0 no matter whether it is root, larry, manny or moe. > > > > Make sure that no one can log in as root anywhere except at the > > console. You can even elminate root login at the console if your > > system is not in a 10000% secure location :-) > > > > Then the only memember who can use root are those you put in the > > 'wheel' group. > > > > Let's get back to UID 0 for a moment. If anyone can get into that > > machine, even if they don't have the ability to become super user, > > and you have named your root account mxtylplx, then anyone on that > > machine will know that is the admin account by listing any > > directory in which used ID 0 has a file it owns. > > > > Don't putz around with security 'ideas'. Do security in the right > > manner. Limit the wheel account users. Make sure they keep their > > login password secure, and keep the root password secure. > > > > Get rid of all telnet account and put in SSH so that no clear text > > passwords ever cross the net. That's just a small step on the > > way, to locking down a system, but just changing login names won't > > do it. > > > > Bill > > > > -- > > Bill Vermillion - bv @ wjv . com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message