On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to have written: > Hi! > I have been asked to create admin accounts for a machine such that > all of them can access that machine as root but with different > username and password. >
In many environments, this is reasonable. Sometimes you have more than one person who is must have full administrative rights, unless you plan to have your one administrator be on 24/7 call. It is good policy to prohibit anyone, even administrators, from sharing accounts, so you give each admin their own account. Of course, if they only need limited admin rights, then sudo is probably a better solution. Talk to your customer and find out what they are really trying to accomplish. The "toor" account is an example of exactly what you want, although by default it is disabled (by an invalid password field). To create a similar account, use "vipw" to edit the password file. Copy the root entry, but give each person their own name and the shell of their choice (the shell must be in /etc/shells). Leave everything else the same as for root. If you copy the password field from the root account, then the new admin account will have the same password, which should be changed by the user of the account. Also, never change the shell for root. It needs to be as it is for some things to work right. That's why the toor account exists: so you can set up an admin account with your choice of shell. The big disadvantage of this is that if you have three admin accounts, an attacker has three times greater chance of cracking the root password if they get their hands on your password file. Stress to the admins that it is critical that they use strong passwords on the admin accounts. A good way to create a strong password is to come up with a sentence of 8 or more words known only to yourself (i.e. NOT a well known phrase), and take the first letter of each word to form an acronym. Throw in some strange capitalization and a few special characters for best effect. For example, the phrase might be "my mother dances with bears (in the moonlight)", which gives me a password of "mMdwb(itm)". If the phrase used is widely known, this method becomes as easy to crack as single words of the same length, but if you use unique phrases the resulting passwords are very good. Sure, the admins can do bad things and cover their tracks if they put enough effort into it, but they can do that if they share a single admin account, also. Hope that helps. - Bob > Thanks > > -pranav > > ******************************************************************* > Pranav A. Desai > > Home :- (937) 294 1381 > ******************************************************************* > > On 9 Oct 2002, Kirk Strauser wrote: > > At 2002-10-09T17:36:02Z, "Pranav A. Desai" <[EMAIL PROTECTED]> writes: > > > How can I create a user account that can function like a root > > > account with the same prilieges ? I need to create three such > > > account. Is it possible ? > > > > Short answer: you probably don't really want to do this. What > > problem are you needing to solve by having multiple root accounts? > > -- > > Kirk Strauser > > In Googlis non est, ergo non est. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
