Do you have a colander? Maybe, maybe not. Things to think about
:
Password authentication
As I mentioned above, I don't think passwords are good security.
How strong is your "admin" password? Any 8-character password can be broken by brute-force in a matter of days; if a dictionary attack is used and the password contains words or word fragments, it can be broken in a weekend. That's not good.
My recommendation: disable password authentication, and use alternative authentication methods.
OpenBSD supports many authentication technologies (see
login.conf(5) for most), including Kerberos and physical token systems. For simplicity with SSH, I happen to like public key authentication when keys can be stored remotely, and S/Key one-time-use passphrases when they can't (see
skey(1) and related man pages).
Sudo limitations
You are allowing
vi(1) to be executed as root. Once in the editor, the "admin" user can request a shell, and they will then have a root shell without restriction and without audit history.
If you are trying to limit what "admin" can do, you must only permit the execution of programs that that do not allow shell escapes.
------------------------------------------------------
If
you are "admin" and you are trying to limit damage should someone acquire the password .... your best solution is to not use passwords, or not use them alone.
Current commercial best practice is to require
binary authentication -- two different things:
- Something you have (token device, binary key, biometric, etc.)
- Something you know (passphrase, password, PIN, etc.)