commit ecdbab2ac007b311ed03600d096eb2a7d9358198
parent e02432d67560940157de4f803bee58e4bfe220c7
Author: pyratebeard <root@pyratebeard.net>
Date: Mon, 29 Jan 2024 21:32:11 +0000
god_complex
Diffstat:
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/entry/god_complex.md b/entry/god_complex.md
@@ -12,7 +12,7 @@ On my own systems none of this is a problem. I have my user account, which has
That is until I stumbled across an article by Dmitry Khlebnikov, [Should we use "sudo" for day-to-day activities?][1].
-Dmitry argues that the use of `sudo` less of a requirement on a correctly secured and managed system, adding that it may in fact introduce security flaws and bad practices.
+Dmitry argues that the use of `sudo` is less of a requirement on a correctly secured and managed system, adding that it may in fact introduce security flaws and bad practices.
After reading it I thought about this article for a while. Then I thought I would try something on my personal systems.
@@ -22,7 +22,7 @@ useradd -o -u 0 -g 0 -m -d /home/enoch enoch
```
* the `-o` option allows the creation of an account with an already existing UID
-On Linux and Unix systems there will always be a UID of 0, and the assigned username is generally "_root_". The convention of naming that user root was probably taken from [Multics][2], and stems from the naming of the `/` or _root_ directory. The actual username can be anything. I toyed with the idea of changing the _/etc/passwd_ entry from root to something else, but didn't know what that may break down the line, as there may be some software expecting a username of root. Probably best to leave it alone.
+On Linux and Unix systems there will always be a UID of 0, and the assigned username is generally "_root_". The convention of naming that user root was probably taken from [Multics][2], and stems from the naming of the `/` or _root_ directory. The actual username can be anything. I toyed with the idea of changing the `/etc/passwd` entry from root to something else, but didn't know what that may break down the line as there may be some software expecting a username of root. Probably best to leave it alone.
Adding a second user with UID 0 isn't unheard of. FreeBSD ships with the user _toor_ (root backwards), configured to use `tcsh` instead of `sh` as their shell (an interesting post on [daemonforums.org][3] explains the history).
@@ -38,9 +38,9 @@ I updated my SSH server config to allow root login without a password, this stil
PermitRootLogin prohibit-password
```
-I also updated my _~/.ssh/config_ accordingly to use the new username on my remote systems. Now when I `ssh` to any of them I am logging in directly as root.
+I also updated my `~/.ssh/config` accordingly to use the new username on my remote systems. Now when I `ssh` to any of them I am logging in directly as root.
-You may be thinking that this has made my systems insecure, but I don't feel it has. My use of SSH keys, and recently [SSH Certificate Authorities][2], puts me in a good place for login security. For local systems in my house there is no external access accept via VPN. For remote systems I make use of a [bastion][3], with firewall rules on all my remote systems to only allow connections to port 22 (SSH) from my bastion.
+You may be thinking that this has made my systems insecure, but I don't feel it has. My use of SSH keys, and recently [SSH Certificate Authorities][4], puts me in a good place for login security. For local systems in my house there is no external access accept via VPN. For remote systems I make use of a [bastion][5], with firewall rules on all my remote systems to only allow connections to port 22 (SSH) from my bastion.
```
iptables -A INPUT -p tcp -s <bastion_ip>/<cidr> --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
@@ -51,6 +51,5 @@ This change has altered how I work on my own systems without the need to escalat
[1]: https://dmitry.khlebnikov.net/2015/07/18/should-we-use-sudo-for-day-to-day-activities/
[2]: https://multicians.org/
[3]: https://daemonforums.org/showthread.php?t=666
-[3]: 20240102-respect_my_authoritah.html
-[4]: 20220830-a_well-fortified_position.html
-[5]: https://en.wikipedia.org/wiki/Principle_of_least_privilege
+[4]: 20240102-respect_my_authoritah.html
+[5]: 20220830-a_well-fortified_position.html
