From owner-freebsd-stable@FreeBSD.ORG Thu Nov 10 16:11:16 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 333C616A41F for ; Thu, 10 Nov 2005 16:11:16 +0000 (GMT) (envelope-from dpkirchner@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id B74BE43D46 for ; Thu, 10 Nov 2005 16:11:15 +0000 (GMT) (envelope-from dpkirchner@gmail.com) Received: by xproxy.gmail.com with SMTP id s9so548889wxc for ; Thu, 10 Nov 2005 08:11:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XMVGZQGQOn4uwCU/VK5SjF8ysMfzhFLreVlWz3hqT1JdhUnBCZow0zg1/4cybDaVX788Dpmws4LqQBuQJw1sKpW+eVWm+v2XQ/Z82ioo80eBQ9D1K9Ofb+un6lxTxIq2DfC+U2ppqxV/YqSY6aWmtbKKf0LYSkVGlybkX/i85io= Received: by 10.70.60.8 with SMTP id i8mr946249wxa; Thu, 10 Nov 2005 08:03:57 -0800 (PST) Received: by 10.70.104.18 with HTTP; Thu, 10 Nov 2005 08:03:57 -0800 (PST) Message-ID: <35c231bf0511100803n14674398u3dedbee245c9f264@mail.gmail.com> Date: Thu, 10 Nov 2005 08:03:57 -0800 From: David Kirchner Sender: dpkirchner@gmail.com To: freebsd-stable@freebsd.org In-Reply-To: <200511101444.jAAEii8H010916@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20051110142455.GA33797@pc5-179.lri.fr> <200511101444.jAAEii8H010916@lurza.secnetix.de> Subject: Re: upgrading 5.4 -> 6.0 without reinstalling. safe ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 16:11:16 -0000 On 11/10/05, Oliver Fromme wrote: > Well, I vote for /sbin/nologin as root's login shell. > > In single-user mode, the systems asks for the shell, with > /bin/sh being the default. In multi-user mode, nobody > should ever log in as root. You rather log in as normal > user and then use "su -m", or use sudo(8) or super(1) or > whatever. It's awkward to have to reboot a machine just to log in to it from a console. Let's say you're colocated and utilize a "remote hands" service, or you make a mistake with your firewall. You're better off disabling root logins in sshd_config, so no one can use root from remote. Then you can leave a password on the root account and still have console access. I just leave root logins enabled and use ssh keys. Leaves a very nice, easy to follow, one-line-per-login "paper trail" of who logged in as root from where and when. But it all comes down to preference, since all options for root access (su, ssh keys, sudo, etc) all carry risk.