Comments on: Root access on Ubuntu server?

By: Mike

Mike — Sat, 13 Feb 2010 00:30:27 +0000

Thanks for the comments, DB – that’s actually what I ended up going with.

I also spent some time working with visudo to lock down sudoer accounts even more, but when I found myself having to use the root account to update things, I backed out of most of that as well. I figured having to frequently access root would just mean I’d be making root access less secure and it would be better to never have to use root and give more permission to the trusted user account.

By: DB

DB — Thu, 11 Feb 2010 20:54:29 +0000

Also, never share a password. Your proposal requires the root password to be shared. It’s just you today, but next year it’ll be 3 people, and when one leaves, you have to change the root password. Stick with individual accounts and you can easily disable a user’s SSH access and sudo privileges if needed. The whole reason sudo & SSH were invented was to circumvent the well-documented shortcomings of a single root account.

By: DB

DB — Thu, 11 Feb 2010 20:51:19 +0000

I think you’re working too hard. Just use your account + sudo, with a strong password. Use SSH to connect to your normal account, not root. In fact, disable root access by SSH in sshd_config and require public-key authentication (disable password authentication).

Spend your effort making sure people don’t break into the server in the first place. Because once they’re in, they can do damage. Little tricks like a second root password aren’t going to help you.