Re: Debian 12.9 and use of sudo for regular accounts

Fri, 21 Feb 2025 16:42:17 -0800 


On 22/2/25 06:49, Tom Dial wrote:

On 2/20/25 22:17, jeremy ardley wrote:

On 21/2/25 09:40, Tom Dial wrote:

The TL;DR here is that for maintaining personal workstations and 
servers it makes more sense to log in as root, do the work as 
required, then log out. Or there is "sudo -i" to get an interactive 
root shell and avoid prepending every command with "sudo." 




Logging in as root on a server is highly dangerous, especially if it 
has an internet facing ssh port. The big cloud providers like AWS 
provision images where there is no root login, and any access 
requires a client certificate for a non root user.



I do not see how login as the root user is meaningfully more dangerous 
in the case of personal workstations and servers than having a sudoers 
file that includes "%sudo   ALL=(ALL:ALL) ALL."





The logged in user can sudo. However on some systems like Ubuntu 
derived, root user doesn't even have a password or a shell. So the 
first thing I do is


sudo passwd root

and work from there.


With an enabled root password?



Yes. and usually with shell login added





However, certificate based access using e.g. ssh-copy-id is a 
time-bomb. Best practice is a separate IAM mechanism with centralised 
access control. I personally use LDAP to maintain ssh public keys 
backed up by an authenticator on each host. I do not permit root 
accounts in the IAM.



This seems a bit heavy-duty for personally owned and operated 
equipment on, e.g., residential premises.



It is 'robust' but not that hard especially if you have a mixed network 
with a windows domain controller to provide the public key storage



The point where the cutover from individually placed public keys to a 
centralised public key store is needed depends on how many ssh users you 
have. I'd suggest 5-10 users is where you should look at that.



More difficult is the use of authenticators such as google 
authenticator. Much intra machine ssh traffic is automatic processes 
such as backups where authenticators don't work. About the best you can 
do is only use it on high value systems and hope for the best on others 
such as backup servers.


























					Reply via email to