pavement

Wheel

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m
Line 1: Line 1:
 
'''wheel''' is a special user group.  By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group.  This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.
 
'''wheel''' is a special user group.  By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group.  This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.
 +
 +
If you allow direct root login over [[ssh]], it becomes possible for [[script kiddie | script kiddies]] to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account.  With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account that is a member of [[wheel]] before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.
 +
 +
It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of [[wheel]], or you will defang much (though not all) of the security benefits inherent in this setup.
  
 
[[Category:FreeBSD Terminology]]
 
[[Category:FreeBSD Terminology]]

Revision as of 11:45, 11 September 2004

wheel is a special user group. By default, FreeBSD does not allow any user to su to root - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow su privileges to root from a select few accounts.

If you allow direct root login over ssh, it becomes possible for script kiddies to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account. With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account that is a member of wheel before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.

It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of wheel, or you will defang much (though not all) of the security benefits inherent in this setup.

Personal tools