From owner-freebsd-questions@FreeBSD.ORG Fri May 30 14:53:36 2008 Return-Path: Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4065F10656B3 for ; Fri, 30 May 2008 14:53:36 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id AA4A98FC1C for ; Fri, 30 May 2008 14:53:35 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m4UErWcr011464; Fri, 30 May 2008 16:53:32 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m4UErWlE011463; Fri, 30 May 2008 16:53:32 +0200 (CEST) (envelope-from olli) Date: Fri, 30 May 2008 16:53:32 +0200 (CEST) Message-Id: <200805301453.m4UErWlE011463@lurza.secnetix.de> From: Oliver Fromme To: freebsd-questions@FreeBSD.ORG, gilles.ganault@free.fr In-Reply-To: X-Newsgroups: list.freebsd-questions User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Fri, 30 May 2008 16:53:33 +0200 (CEST) Cc: Subject: Re: Renaming "root" to "homer"? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@FreeBSD.ORG, gilles.ganault@free.fr List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2008 14:53:36 -0000 Gilles wrote: > With all those scripts trying to connect to SSHd as "root", I was > wondering if it'd be OK to rename this account to eg. "homer", to act > as a first line of defense? > > Are there unknown consequences to doing something like that? Peope have already pointed out that it is a bad idea to allow remote root logins, so I won't repeat that. :-) But to answer your question: Renaming the "root" account will probably break quite a log of things, for example install scripts which often contain command like "chown root bin/whatever", or start/stop scripts for daemon processes that match for certain commands run by "root", and so on. So better don't do that. Many programs expect that there is an account called "root" with UID 0. Otherwise they will malfunction. > If not, is it done by just editing /etc/password with vi, or is there > a better way? No, editing /etc/passwd directly doesn't work. Instead, you should use the vipw(8) tool, which does several things: - It locks the master.passwd file so nobody else can edit it at the same time. - It opens the master.passwd file with vi (or a different editor if you have the environment variable EDITOR set). - Afterwards it checks the master.passwd file for correct syntax and consistency, to prevent accidental breakage. - It generates the passwd file (for compatibility only) and the pwd.db and spwd.db database files. - Finally the lock is released. Alternatively you can use the pw(8) command line tool to edit, add or delete accounts and groups. Please see the manual page for details. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C++ is over-complicated nonsense. And Bjorn Shoestrap's book a danger to public health. I tried reading it once, I was in recovery for months." -- Cliff Sarginson