Default User wrote: > is a root account really necessary? well, the account is needed for many tasks. I presume you mean to ask, "Is it necessary to be able to directly log into the root account?", and that answer, in OpenBSD, is no. However the account must exist so that many applications can run.
Keep in mind, however, many other Unix-like OSs will ask you login as root (and only as root) if you bring them up in single user mode, so this is OpenBSD specific advice (or fix the default settings on the lesser OS! :) > wouldn't a system with no root > account, where all maintenance is done as sudo, be more secure? not necessarily. If people can guess your root account PW, they can probably guess your non-root account PW, too, they just have one more thing to guess...which is probably leaked all over the place. For example, I have no problem figuring out what your account name most likely is on sbcglobal.net, so all I (still) need to figure out is the password. THAT BEING SAID...in a shared administrative environment (i.e., business), I usually set up the machine, create users with sudo access for all the people administering the machine, then disable the disable the PW in the root user (I do this from one of the non-root users, to make sure I don't lock myself out of the machine!). I don't do this to obfuscate the administrative login process, I do this to make sure that EACH of the administrators of the system are able to administer the entire machine, and no one person has an "advantage" to administrating the machine by having the root PW. That way, in theory, if something happens to me, others can keep the system running and properly maintained. If one administrator leaves, I simply deactivate that account. Most of these systems actually do have an ssh key on root so that a backup system can log in and back up everything. So yes, 'root' is logged into. > if so, > why not install with no root account by default? Properly handled, it isn't a security advantage. And mishandled, you have a security problem, regardless, don't fool yourself into thinking otherwise. Fix the real problem, don't disable root. If the front door of your house is weak, don't paint it purple so people looking for your thin wood door won't recognize it is a door, FIX THE DANG DOOR. For many applications, there is just nothing wrong with logging in as root, and it is very possible to hurt yourself if you don't have that option available, or if you do something really stupid on the way to chasing this silly goal of never logging in as root. Nick.
