From owner-freebsd-questions Wed Apr 29 14:00:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA27686 for freebsd-questions-outgoing; Wed, 29 Apr 1998 14:00:29 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from eyelab.psy.msu.edu (eyelab.psy.msu.edu [35.8.64.179]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA27621 for ; Wed, 29 Apr 1998 14:00:18 -0700 (PDT) (envelope-from root@eyelab.psy.msu.edu) Received: from iso221.psy.msu.edu (blah@iso221.psy.msu.edu [35.8.110.61]) by eyelab.psy.msu.edu (8.8.8/8.8.7) with SMTP id QAA03316; Wed, 29 Apr 1998 16:58:57 -0400 (EDT) (envelope-from root@eyelab.psy.msu.edu) Message-Id: <199804292058.QAA03316@eyelab.psy.msu.edu> X-Sender: root@eyelab.msu.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1.329 (Beta) Date: Wed, 29 Apr 1998 17:01:06 -0400 To: Doug White From: Gary Schrock Subject: Re: any way to make ssh logins log to messages? Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: References: <199804231912.PAA08936@eyelab.psy.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 01:34 PM 4/29/98 -0700, you wrote: >Mailing as root implies you log in as root. And as root, the system lets >you do whatever you want even if you didn't mean it, like accidentally >typing `rm -rf /' instead of `rm -rf .' Note that the . and the / key are >next to each other :) In addition, it allows the distribution of >root-exploit viruses & trojans and other nasty problems that Linux people >typically have since they always run as root. If you want root mail to go >to you then simply modify the root alias in /etc/aliases. Yeah, I've done the rc -rf thing accidentally before, but generally it's because of using X and forgetting that I'm on a machine where focus doesn't follow the cursor. The machine that I get email on I don't actually generally login as root unless I'm doing something that I'm going to need root for anyways. And I never login remotely, and now that more windows clients are becoming available for doing ssh logins, I'm never logging in without using ssh even as the normal user on the machine. I have to admit I hadn't thought of just changing the alias, even though I've done that on another machine. That might just make me think about doing it. >The next question is usually how to allow remote root logins, which is >disabled by default to keep people in Botswana from running passwd >guessers against it. And that's exactly why I don't enable remote root logins. >Lastly, it discourages my favorite security practice: Change the root >password to something random, put it in an envelope and tape it to the >CPU. Then install sudo and tell people to use that if they need admin >access. With sudo you can control what programs people can execute, and >see what they've been up to since it's logged. If you ever need the root >password, it's there, but as of yet I've never needed to make use of it. My practices in whether or not I use root tend to vary depending on whether I'm on my home machine or at work. At work I only log into root when I need to, but at home I generally just login as root, and if I manage to trash my machine I trash it, it's not critical that I be able to access my unix partitions at any given moment, so if it takes a while for me to recover it then it does. I've also moved to moving to things like skey on the root accounts for machines that have a higher profile. Gary Schrock root@eyelab.msu.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message