On Mon, Jan 27, 2003 at 11:23:10PM +0800, Ian C. Sison wrote: > > Ian probably meant "set PermitRootLogin to yes", if you want to allow > > root to login via SSH, that is. Having said that I highly recommend you > > -not- do this. Instead install sudo and add the list of users you want > > to be able to gain root access -when needed- to the /etc/sudoers file. > > > > I'd go a bit further in that if your services permit, do away with > creating users on your box totally. Local users in a system are a > security hole just waiting to be exploited. > > Ideally, no one deserves shell access except root, not even the owner of > the company \8).
My thinking on this is that admins should have unprivileged accounts that the use to log in to then use sudo to execute their adminly chores. One of the advantages to this is that superuser accounts don't experience the problems that unprivileged accounts do and having an unprivileged account helps superusers locate the actual problem and solve it correctly instead of using their superuser powers to override all problems. Sometimes a normal permissions problem can be solved as an unprivileged user. Another advantage to using sudo is that it logs commands executed using sudo someplace on the system. Since you execute the command with sudo, you can trace responsibility for what was done by viewing the log. A shared account, whether superuser or not, makes it more difficult to determine responsibility for and accountability for actions performed using that account. eric -- ___ eric pareja (xenos AT maharlika.upm.edu.ph) \e/ [ Philippine Linux Users' Group ] Linux User #8159 http://counter.li.org _v_ [ Python Power! ] [ Debian Rocks! ] [ Unwitty Saying Here! ] [] Software & ___ [ Free the books! http://www.bookcrossing.com/referral/pusakat ] Freedom "Open the doors so you don't have to go through windows." - e. pareja [<http://catalog.com/hopkins/unix-haters/login.html>] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
