I use an automated preseed install, but when did they add the option to lock out the root account in the installer, and where is it asked? I agree that a locked root account, user accounts with a secure password policy and rsa keys, proper configuration of sudo, and use of AllowUsers in sshd are the best way to go for remote access. François Cerbelle wrote: > Le Jeu 4 septembre 2008 14:25, PaweÅ‚ Krzywicki a écrit : >> On czwartek, 4 wrzeÅ›nia 2008, kishore@vodafone.it wrote: >>> i too noticed a similar thing when i installed on my new laptop etch. >>> the solution was as Cerbelle said. Login as a normal user and do sudo ( >>> or you can activate root login from the login menu; but i personally >>> consider it really dangerous!) >> I am wondering why this is dangerous? >> If your password is seen as "strong" "FaG34#fCFD12drtfdg" something like >> this for example why this is dangerous? > > Just because you log in "anonymously". In fact, if several people need a > root access, there are two possibilities : > - everybody knows and use the same root account/password, but you will bot > be able to know who made what. You can only see from which IP the "root" > connection was made. > - "root" account is locked, without password. nobody can directly connect > to it. everybody first need to connect with their personal account and > password before executing something as root. Nobody knows another one's > password, there is no common account or password and you can always know > who ran this damn "rm /etc/passwd". > > Furthermore, root is also ALWAYS the first account to be attacked by > script kiddies. If it is locked, you are sure they will not be able to > connect to this account. > > > Francois Cerbelle Thank you, -- James Shupe HermeTek Network Solutions http//www.hermetek.com 1.866.325.6207 ------------------------------------------------------------------------ This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.866.325.6207 and destroy the original message.
begin:vcard fn:James Shupe n:Shupe;James org:HermeTek Network Solutions adr:;;304B Peachtree Ln;Big Sandy;Texas;75755;USA email;internet:shupej@hermetek.com title:President tel;work:1.866.325.6207 tel;cell:1.903.746.8424 x-mozilla-html:FALSE url:http://www.hermetek.com version:2.1 end:vcard
Attachment:
signature.asc
Description: OpenPGP digital signature