Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

because they would have to guess the username too. everyone already knows root exists.


If knowing an account exists is like getting to the moon, logging into it if it requires a private key is like getting to Andromeda.

I mean, I tend to turn root access off, but let's not oversell what kind of security it gets you. There is effectively zero security difference between a non-root account + passwordless sudo and a root account if they both require a key to log in.


I think jamiesonbecker was implying that this new user would have sudo restricted to just doing the tasks required for its individual purpose, not completely open sudo. I disagree with their point, but yeah, that would have nothing to do with guessing the account name.


no idea how to get notifications for responses to my comments, sorry.

No, I am mostly implying that the name alone is a risk. If you've ever brought up a box on the net, you know that the first account that's attacked is root. While the above moon/andromeda analogy is apt, some types of vulns could also leave you open as well with a known username to login with. Better to block those outright.

Plus, there's no reason to log in as root anyway as a simple matter of best practices; it's against virtually every security standard; no auditing of privileged access and hopefully no root account sharing!

heavy opinion: logging into a remote machine as root on modern Linux/UNIX is just laziness.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: