upgrading 5.4 -> 6.0 without reinstalling. safe ?
David Kirchner
dpk at dpk.net
Thu Nov 10 08:11:16 PST 2005
On 11/10/05, Oliver Fromme <olli at lurza.secnetix.de> wrote:
> Well, I vote for /sbin/nologin as root's login shell.
>
> In single-user mode, the systems asks for the shell, with
> /bin/sh being the default. In multi-user mode, nobody
> should ever log in as root. You rather log in as normal
> user and then use "su -m", or use sudo(8) or super(1) or
> whatever.
It's awkward to have to reboot a machine just to log in to it from a
console. Let's say you're colocated and utilize a "remote hands"
service, or you make a mistake with your firewall. You're better off
disabling root logins in sshd_config, so no one can use root from
remote. Then you can leave a password on the root account and still
have console access.
I just leave root logins enabled and use ssh keys. Leaves a very nice,
easy to follow, one-line-per-login "paper trail" of who logged in as
root from where and when. But it all comes down to preference, since
all options for root access (su, ssh keys, sudo, etc) all carry risk.
More information about the freebsd-stable
mailing list