I decided to up the security on my system by changing the root password and setting password ageing through YaST>Security and Users>Local Security. However, considering that I very rarely log in as root, is there a chance that the root password will be expired without giving any warning via my user account?

I already had some fun arising from this, as I set it without changing the password on my user account, then logged out. I expected simply that I would be prompted to change my password next time I logged in, but nooo... Instead, next time I booted up I was greeted with the message that "the system administrator has locked your account." Finally solved this by logging in as root and running usermod --inactive -1 <name>, then changing the password.

Also (bonus question): is there any way to change the username for root, to make it a little more difficult for would-be hackers?

Thanks,
Rob

I can answer the bonus question: root is simply the user with UID 0, GID 0 so yes, in theory, you could change the name of the super-user. Just change the entries in /etc/passwd and /etc/shadow from root to whatever and it should work. I have never tried this for the root account, so whatever security measures (like PAM or something else) you have might throw a fit if its changed from root.

Thanks for the response. Sounds like something I should try with a test installation first (when I get round to it), rather than with the installation I'm using everyday.

Rob

Sounds like something the people who make up security "best practices" for Microsoft should have tested as well. Not only does changing the default local admin account (root) break things in Linux, doing so in Windows does too. For example, when you attempt to repair a Windows installation, the recovery console is hard coded to prompt for the Administrator account password. Not a administrator account, the Administrator account! So if you change it you'll have to completely reinstall the OS to do something like fixmbr. That makes it a pretty bad practice in my book.

Yet Mac OSX allows you to change the Administrator username to, say, Ermintrude. In this case the administrator is not root, but allows you to carry out a number of root-like tasks, and to activate or deactivate root login as necessary (deactivated by default). sudo works with the administrator, rather than root, password under OSX.

Anyone got any idea on the first question I posed (possibility of being locked out of root without warning by password ageing)?

Yours,
Rob

You can always change the root password to something you know if you have physical acces to the box. Log on in single user mode or use some LiveCD and chroot.

Plausible. Just have expiries (cronjob) emailed to your unpriv'ed user account.
Wrt to bonus: don't. Please search this forum for previous discussions about it.

And I can create a user account named root under Windows too, make that user a member of the account operators group and disable local Administrator. Net effect would be exactly the same: I've created an additional layer of complexity to solve a non-existant security problem. Weak passwords and users with no understanding of social engineering is the real problem. The solution, therefore, is to enforce strong passwords and educate your users. Not create an administrative nightmare. IMVHO.

Thanks for the reply.
How would I do this? Apropos doesn't show anything for 'expiries'
OK I won't

I don't agree, though, that it is pointless to change the name of the admin account. Knowing that any linux system will have an account called root vastly simplifies the job of anyone who wants to hack in. It means that, with passwords of equivalent complexity, it will actually be easier for a hacker to access root than an unprivileged user account.

Rob

How would I do this? Apropos doesn't show anything for 'expiries'
"man chage" ;-p

Here's a lame example:

I don't agree, though,
...and that's exactly why I told you to search this forum: to avoid unnecessary dicussion. TIA