Thread: root logins
View Single Post
  #2   (View Single Post)  
Old 28th October 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
  
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default
Hi,

Some of these requirements probably can't be met without some extensive modifications, possible some additional support programs.. but maybe you can explain why you're so paranoid?

Physical security is difficult, disabling root access wouldn't prevent someone from booting from external media.. they could also remove the hard disk.. or do a multitude of other simple local attacks.

That said, you can edit /etc/ttys and remove all instances of "secure", with this nobody will be able to login as root, as documented in ttys(5).

You could also remove the graphics card and use a serial port for on-site maintenance, depending on the level of modifications you're willing to make, you could modify the kernel to prevent vga(4) and other wscons(4) devices from attaching.

For SSH, there is an option to prevent root logins, enable that.. and nobody will be able to directly login using the root account, however non-root users in the wheel group still have access to su(1) and sudo(8) and can elevate permissions.

When a user is logged in, any attempts to run login(1) actually run an instance of su(1) instead, if you read the man page you'll notice that the wheel group plays an importance.. an unsuspecting user may conclude that having no users in the wheel group would be a good idea, but the opposite is true, if the wheel group is empty then su(1) permits all users to attempt a root login.. which will succeed if they know the root password, if however you designate 1 or more accounts to wheel only they will be able to.

Fortunately on OpenBSD, you must edit /etc/sudoers before sudo(8) is a risk.

Now, assuming you configure your system to prevent root logins directly, you will most likely have one user in the wheel group.. as is wise... this account needs to have a good password, but some would also argue that this account is a good candidate for attacks, disallowing password authentication for SSH would be wise as would periodically changing the password.

At the end of the day, the best plan is to only give accounts to people you trust not to abuse the right.

Good luck.
Reply With Quote