Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I decided to up the security on my system by changing the root password and setting password ageing through YaST>Security and Users>Local Security. However, considering that I very rarely log in as root, is there a chance that the root password will be expired without giving any warning via my user account?
I already had some fun arising from this, as I set it without changing the password on my user account, then logged out. I expected simply that I would be prompted to change my password next time I logged in, but nooo... Instead, next time I booted up I was greeted with the message that "the system administrator has locked your account." Finally solved this by logging in as root and running usermod --inactive -1 <name>, then changing the password.
Also (bonus question): is there any way to change the username for root, to make it a little more difficult for would-be hackers?
I can answer the bonus question: root is simply the user with UID 0, GID 0 so yes, in theory, you could change the name of the super-user. Just change the entries in /etc/passwd and /etc/shadow from root to whatever and it should work. I have never tried this for the root account, so whatever security measures (like PAM or something else) you have might throw a fit if its changed from root.
Thanks for the response. Sounds like something I should try with a test installation first (when I get round to it), rather than with the installation I'm using everyday.
Sounds like something the people who make up security "best practices" for Microsoft should have tested as well. Not only does changing the default local admin account (root) break things in Linux, doing so in Windows does too. For example, when you attempt to repair a Windows installation, the recovery console is hard coded to prompt for the Administrator account password. Not a administrator account, the Administrator account! So if you change it you'll have to completely reinstall the OS to do something like fixmbr. That makes it a pretty bad practice in my book.
Yet Mac OSX allows you to change the Administrator username to, say, Ermintrude. In this case the administrator is not root, but allows you to carry out a number of root-like tasks, and to activate or deactivate root login as necessary (deactivated by default). sudo works with the administrator, rather than root, password under OSX.
Anyone got any idea on the first question I posed (possibility of being locked out of root without warning by password ageing)?
You can always change the root password to something you know if you have physical acces to the box. Log on in single user mode or use some LiveCD and chroot.
Plausible. Just have expiries (cronjob) emailed to your unpriv'ed user account.
Wrt to bonus: don't. Please search this forum for previous discussions about it.
Yet Mac OSX allows you to change the Administrator username to, say, Ermintrude.
And I can create a user account named root under Windows too, make that user a member of the account operators group and disable local Administrator. Net effect would be exactly the same: I've created an additional layer of complexity to solve a non-existant security problem. Weak passwords and users with no understanding of social engineering is the real problem. The solution, therefore, is to enforce strong passwords and educate your users. Not create an administrative nightmare. IMVHO.
Plausible. Just have expiries (cronjob) emailed to your unpriv'ed user account.
How would I do this? Apropos doesn't show anything for 'expiries'
Quote:
Wrt to bonus: don't. Please search this forum for previous discussions about it.
OK I won't
I don't agree, though, that it is pointless to change the name of the admin account. Knowing that any linux system will have an account called root vastly simplifies the job of anyone who wants to hack in. It means that, with passwords of equivalent complexity, it will actually be easier for a hacker to access root than an unprivileged user account.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.