# Account Management



## bsus (Jul 3, 2011)

Hi, I have a short question about the group management. I read through the first half of the FreeBSD Handbook. In the security chapter I read about the "root"-problem. I only want to access root direct by the machine.

My question is should I create an extra admin account with membership in wheel which can manage the server over ssh privatekey and sudo, with which I access the server from clients, or should I make a group "admin" in the group "FILE]wheel[/FILE]" where my usual user in memberoff?

Regards


----------



## fonz (Jul 3, 2011)

bsus said:
			
		

> My question is now should I create a extra admin account with membership in wheel which can manage the server over ssh privatekey and sudo.


If you use ssh(1), be sure to disable root logins by putting

```
PermitRootLogin no
```
 in your /etc/ssh/sshd_config file.

Next, you can *either* use the wheel group (explained below) or security/sudo (see below too). There's nothing to prevent you from using both, but in my opinion that kinda defeats the purpose.

Using the wheel group:
Create a normal user account. I recommend using something less obvious than, say, "admin" or "administrator". Here I will use the name "yoda" as an example. Do *not* set yoda's primary login group to wheel. Instead, make him a member of his own group (default adduser behavior) or set his primary login group to something that already exists, such as "users" or something. Then just add yoda to the wheel group seperately. This allows yoda to login via ssh as a mortal user and then su(1) to root.

Using sudo:
You can specify who is allowed to do what in the file /usr/local/etc/sudoers. Consult the corresponding manpage for exact details, or ask a followup question here. Be careful about what you allow, though. Some programs (text editors come to mind) allow shell escapes, meaning that you may think you're only allowing somebody to edit a file but in the process you're actually allowing them to do pretty much anything!



			
				bsus said:
			
		

> or should I make a group "admin" in the group "wheel" where my usual user in memberoff?


As far as I know, you can't have groups within groups (although it can to some extent be emulated with NIS netgroups).

Hope this helps,

Fonz


----------



## bsus (Jul 3, 2011)

Thanks, for the detailed possibilities 



> Instead, make him a member of his own group (default adduser behavior) or set his primary login group to something that already exists, such as "users" or something. Then just add yoda to the wheel group seperately



I think this was what the Handbook meant. I did this and added now a user with which I can access over ssh and then "jump" to su.

Thanks for the great help, Regards.


----------

