On Thu, Aug 18, 2005 at 04:02:21PM +0000, Scott Plumlee wrote: > Nick Holland wrote: > >When I set up an OpenBSD system, one of the first things I do is create > >a personal user for myself, put myself in the wheel group, configure > >sudo to let wheel users do anything, log in as that user, and disable > >root logins. Completely disable. This does a few things... > > Is your preferred method for doing so to remove the root user, or set > the shell to nologin, or something else? I like the idea, but I'd > rather not shoot myself in the foot doing it. What I normally do is use vipw to change the encrypted root PW to "*" or put a number of identical repeating characters in middle of the encrypted PW. "Completely disable" is probably the wrong expression...as you could still log in single user (no PW prompted for), and if you could find a REASON you absolutely had to login as root from a multi-user system, you could always do a "sudo su -" which will take you to root directly. I've done this, but never had reason that I *had* to do it.
By "completely disable", I meant "Unable to directly log into the account from a login prompt". That's what happens when writing an e-mail and realizing I should have left for work 15 minutes earlier... Don't remove the root user, don't probably need to change the login shell (though I can't think of any way that would hurt you). sudo -s is handy for doing lots of root activies, if you are not worried about command logging. I also tend to have an "alias ]=sudo" in my .profiles. It seems to help encourage me not to use "sudo -s" because I'm lazy. :) I'm sure there is some use of the ] key in a command line I'm blowing out, but I haven't come across it yet. :) Nick.
