Koozali.org: home of the SME Server

Legacy Forums => Suggestions => Topic started by: Jáder on August 14, 2005, 04:40:22 PM

Title: other user than "root"
Post by: Jáder on August 14, 2005, 04:40:22 PM

I wish that main user was not "root" by security reasons.
Maybe a user like  sme  would be rather difficult to hackers ...

This would be done to 6.01, 6.5 AND mainly 7.0

Thanks

Title: Re: other user than "root"
Post by: gordonr on August 16, 2005, 02:30:00 AM

Quote from: "jader"

I wish that main user was not "root" by security reasons.
Maybe a user like  sme  would be rather difficult to hackers ...

This would be done to 6.01, 6.5 AND mainly 7.0

Root is only allowed to log in on the console by default and is not configured for any services (e.g. IMAP, POP, etc.)

Renaming root is "non-trivial" and provides very little additional security. A root equivalent account is just as dangerous as a root account - each must be properly protected with strong passwords and no remote access.

Do not enable root access over SSH, and if you must, only do so with SSH public keys. And even then, don't - enable public keys for a normal account and use sudo.

Title: other user than "root"
Post by: Jáder on August 16, 2005, 12:31:30 PM

Gordon

Thank you by your quick answer.
I understand your choices about root, so do a new suggestion:
make generation of ssh keys easier on SME7. That would allow more people to use keys and not passwords.

I don´t know how to enable keys for other users (neither how to allow other users to login on console @ 6.0.1-01) .

Thanks

Jáder

Title: Re: other user than "root"
Post by: gordonr on August 16, 2005, 12:53:11 PM

Quote from: "jader"

Gordon

Thank you by your quick answer.
I understand your choices about root, so do a new suggestion:
make generation of ssh keys easier on SME7. That would allow more people to use keys and not passwords.

I don't have time to write it for 7.0, but if someone wants to contribute it, I'd love to see this. I'd like to see something that a user can select to generate a key, and have it installed for them.

It would fit nicely on the userpanel, with password, vacation, etc. (and yes, I'd like to see the userpanel work pulled in at some stage).

Quote from: "jader"

I don´t know how to enable keys for other users

There are HOWTOs for SSH key generation on this site.

Quote from: "jader"

(neither how to allow other users to login on console @ 6.0.1-01) .

All you need to do is change their shell. Only do this for administrative users - nobody else needs to be able to log in.

Title: non-root
Post by: Jáder on August 20, 2005, 02:25:27 PM

Gordon

Thank you by your tip about howto allow non-root user to do login.
I already implement this on my own server to testing.
I´ll start to test v.7B1 today.

Thank you.

Jáder