From owner-freebsd-questions@FreeBSD.ORG  Sat Sep 27 04:13:10 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3299ADD3
 for <freebsd-questions@freebsd.org>; Sat, 27 Sep 2014 04:13:10 +0000 (UTC)
Received: from agora.rdrop.com (agora.rdrop.com [IPv6:2607:f678:1010::34])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0C285619
 for <freebsd-questions@freebsd.org>; Sat, 27 Sep 2014 04:13:09 +0000 (UTC)
Received: from agora.rdrop.com (66@localhost [127.0.0.1])
 by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id s8R4Cw4v056835
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
 Fri, 26 Sep 2014 21:12:58 -0700 (PDT)
 (envelope-from perryh@pluto.rain.com)
Received: (from uucp@localhost)
 by agora.rdrop.com (8.13.1/8.14.2/Submit) with UUCP id s8R4CwkI056834;
 Fri, 26 Sep 2014 21:12:58 -0700 (PDT)
 (envelope-from perryh@pluto.rain.com)
Received: from fbsd81 by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407)
 id AA04811; Fri, 26 Sep 14 20:43:32 PDT
Date: Fri, 26 Sep 2014 20:43:36 -0700
From: perryh@pluto.rain.com (Perry Hutchison)
To: firmdog@gmail.com
Subject: Re: pkg_delete bash, logged out by accident, can't ssh back in (not
 good)
Message-Id: <54263268./Api5Tg7oKkx/Tvm%perryh@pluto.rain.com>
References: <CAHcg-UGOAjobmTnWM9+5PiE23wXrDO8v31p5QCF07ar8aXEV8A@mail.gmail.com>
 <20140926210145.GA10084@neutralgood.org>
 <CAHcg-UFahAwG7+hgDiK-OLGqS_H0nKjeR4wozRHwauaUUFEsQA@mail.gmail.com>
 <50075.166.147.100.43.1411770059.squirrel@cosmo.uchicago.edu>
 <CAHcg-UFVFBdj9TsJQKveCA4dRxGBxQWb5aATXsS=FVCHg_DT_A@mail.gmail.com>
In-Reply-To: <CAHcg-UFVFBdj9TsJQKveCA4dRxGBxQWb5aATXsS=FVCHg_DT_A@mail.gmail.com>
User-Agent: nail 11.25 7/29/05
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org, kpneal@pobox.com, galtsev@kicp.uchicago.edu
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Sep 2014 04:13:10 -0000

"firmdog@gmail.com" wrote:
> Even if you are very experienced you can always screw up no matter
> how old you are. :-)

This is one example of why it is unwise to change the root user's
shell to bash (or any shell from ports).  That's what the toor user
is for.

If you use remote access for administration, it's wise to also
have a non-root administrative user, with su privilege, with a
base-system shell.  That is safer than allowing root or toor to be
accessed remotely, since an attacker must then guess the username,
its password, and the root password in order to get root access.